OSX10

Q: OSX rejects correct password on boot (but nowhere else)

Hello all,

We've recently updated several Early2008 MBPs (Snow Leopard) to Late2013 MBPs (Mavericks).  With these new machines, OSX intermittently (more than 90% of the time) rejects correct login passwords from cold boot (when unlocking FileVault2 images), but nowhere else. 


OSX never rejects passwords when:

-waking from sleep.

-authenticating in OSX environment

-unlocking FileVault2 images from warm boot (restart, from either Windows or MacOS)

-administrator password is shorter than 17 characters (machines only exhibit this issue if passwords are 17 characters or longer; we can shorten our passwords and then the issue goes away, but comes right back if we make the passwords longer.

-Password length does not matter when cold boot logging in as a standard user account (not an administrator).

 

Typical machine details:

-Updated from 10.6.8 to 10.9.x, then to 10.9.4.  Note: we cannot upgrade to 10.9.5 until it is verified by our certification lab.

-Using FileVault 2. 

-Migration Assistant was NOT used.  Relevant files were copied over.  Fresh install from Apple. 

-Passwords are alphanumeric only, with numbers, capital and lowercase letters.

-OSX Server is not used in our environment.  Run of the mill Mavericks.

-Key repeat rate set to 'fast' (only set when in userland).  Delay until repeat is 'short'

-firmware lock enabled (note: issue still persists when disabled)

 

Example:

0. Machine is off.

1. On first boot, admin attempts to log in and 24 digit password is repeatedly rejected.  It does not matter how slowly password is entered.

Note: It is difficult to verify password length after the first 16-20 digits, as the GUI is only wide enough to display that many (?) characters.  Arrow keys are used to verify password length.

2. After successfully logging in, admin successfully enters password on first try numerous times throughout workflow. 

3. Admin restarts (warm boot) and successfully enters password on first try (every time).

4. Repeat

 

Workaround:

A. Create a dummy standard user account with 20 character password.

B. on cold boot, login as standard user.

C. log out and then log back in as admin user.

 

Unacceptable workarounds:

-Use admin password less than 16 characters (company policy requires 20 characters or more for admin accounts).

 

Questions:

-Does the computer time need to be correct to successfully unlock a FileVault2 image?

-Do these new MBPs not have a persistent time tracking device (like the old ones)?  Our machines often have the incorrect time until they can sync with time.apple.com

-What is different about warm versus cold FileVault2 booting?

-Has anyone else seen this behavior?

MacBook Pro with Retina display, OS X Mavericks (10.9.4), FileVault2 and firmware lock.

Posted on Sep 25, 2014 2:42 PM

Close

Q: OSX rejects correct password on boot (but nowhere else)

  • All replies
  • Helpful answers

  • by Linc Davis,

    Linc Davis Linc Davis Sep 25, 2014 6:15 PM in response to OSX10
    Level 10 (207,926 points)
    Applications
    Sep 25, 2014 6:15 PM in response to OSX10

    So you have no trouble with 20 characters, but you do with 24? Are any of those special characters, such as accented letters? Have you tried changing the password temporarily to a simpler one to test?

  • by OSX10,

    OSX10 OSX10 Sep 29, 2014 3:29 PM in response to Linc Davis
    Level 1 (0 points)
    Sep 29, 2014 3:29 PM in response to Linc Davis

    OSX never rejects passwords when administrator password is shorter than 17 characters (machines only exhibit this issue if passwords are 17 characters or longer; we can shorten our passwords and then the issue goes away, but comes right back if we make the passwords longer.


    -Passwords are alphanumeric only, with numbers, capital and lowercase letters.  We've tried several different passwords and the behavior persists as long as the above criterial are met.

  • by Linc Davis,

    Linc Davis Linc Davis Oct 1, 2014 8:07 AM in response to OSX10
    Level 10 (207,926 points)
    Applications
    Oct 1, 2014 8:07 AM in response to OSX10

    I've seen no other reports like yours and I can't reproduce the behavior myself. I suggest you disable FileVault on one of the machines and then re-enable it with a long password.

  • by OSX10,

    OSX10 OSX10 Oct 1, 2014 11:23 AM in response to Linc Davis
    Level 1 (0 points)
    Oct 1, 2014 11:23 AM in response to Linc Davis

    Thanks for your comments.  I imagine this issue hasn't been reported because:

    -most people don't use FileVault

    -most people don't use passwords longer than 16 characters

    -most people assume they're just not entering their password correctly*

     

    I, too, haven't seen any other reports of this behavior.  We've disabled and reenabled FileVault2 on multiple machines without resolving the issue.

     

    *This is going to date me a bit, but as a troubleshooting step, we typed the password '37fhGBdh6UniqueGalaxy7' onto a USB-connected AlphaSmart 2000 (with key type speed set to 'Very Slow').  We then created a new admin user account on a sterile machine and used the AlphaSmart to enter the password.  We then performed several tasks that require admin password and verified that the AlphaSmart reliably enters the password once logged in.  However, we still see the same behavior only during cold boot... the password is 'incorrect' a majority of the time.

     

    I'll keep trying to isolate this issue, but I imagine it's similar to the bug in earlier OS versions where only the first 8 (and later, 16) digits are handled properly.

  • by Linc Davis,Helpful

    Linc Davis Linc Davis Oct 1, 2014 12:00 PM in response to OSX10
    Level 10 (207,926 points)
    Applications
    Oct 1, 2014 12:00 PM in response to OSX10

    -most people don't use FileVault

    -most people don't use passwords longer than 16 characters

    I do both. I can't reproduce the problem. Only Apple Engineering could tell you more.

  • by OSX10,

    OSX10 OSX10 Oct 1, 2014 8:00 PM in response to Linc Davis
    Level 1 (0 points)
    Oct 1, 2014 8:00 PM in response to Linc Davis

    I certainly thank you for your help!

    If you don't mind elaborating on your reproduction setup, what hardware are you using?

    I suspect this is an issue with incorrect system time, hence my initial questions in post 1:

    -Does the computer time need to be correct to successfully unlock a FileVault2 image?

    -Do these new MBPs not have a persistent time tracking device (like the old ones)?  Our machines often have the incorrect time until they can sync with time.apple.com

    -What is different about warm versus cold FileVault2 booting?

     

    Any Apple software engineers trolling the forum care to elaborate?

  • by Linc Davis,

    Linc Davis Linc Davis Oct 1, 2014 8:16 PM in response to OSX10
    Level 10 (207,926 points)
    Applications
    Oct 1, 2014 8:16 PM in response to OSX10

    what hardware are you using

    Various.

    -Does the computer time need to be correct to successfully unlock a FileVault2 image?

    I suppose it might if you use an institutional recovery key, as described in the fdesetup(8) man page. The X.509 key would have to be within its valid date range. But I don't see how that would explain anything, even if you use such a key.

     

    I have no other insight into your problem. The internals of FileVault and CoreStorage are undocumented and unknown outside Apple.

  • by OSX10,

    OSX10 OSX10 Oct 1, 2014 8:47 PM in response to Linc Davis
    Level 1 (0 points)
    Oct 1, 2014 8:47 PM in response to Linc Davis

    No institutional key is set... standard user OSX install.

    I'll have to see if our policy allows for a script to call:

    sudo fdesetup authrestart

     

    ...probably not, as this defeats the purpose of using filevault in the first place... Apple is smart to not allow an equivalent authshutdown option .

  • by OSX10,

    OSX10 OSX10 Oct 22, 2014 11:22 AM in response to OSX10
    Level 1 (0 points)
    Oct 22, 2014 11:22 AM in response to OSX10

    Update: I've noted the following over the past few weeks:

    -This incorrect password issue is certainly related to input speed.

    -Even at the slowest speed, the alpha smart still sends characters too quickly for the bootloader to handle

    -No idea why the filevault bootloader has issues when cold booting, but not warm booting.

    -No idea why this issue does not present at any input speed for shorter passwords.  I doubt I'm overflowing a buffer.

     

    Workaround for now:

    -Enter password at slower than 4 characters per second.  Thus, it takes about 6 seconds to enter a 24 character password, which is slow in my book, but the login success rate is 100% as long as I remember to type slowly.

     

    Note: Before you dismiss this as a PEBCAK issue, I'll reiterate that except for cold boot password entry, my correct password entry percentage at my normal typing speed is nearly 100%.  In other words, I'm not entering the password wrong 90%+ of the time during cold boot.

  • by BrandonHorn,

    BrandonHorn BrandonHorn Nov 26, 2014 10:58 AM in response to OSX10
    Level 1 (0 points)
    Nov 26, 2014 10:58 AM in response to OSX10

    I have the exact same issue on Yosemite. I have FileVault2 enabled. I have a long password. It rejects the password the first time I type it but not the second.

  • by BrandonHorn,

    BrandonHorn BrandonHorn Dec 6, 2014 10:55 AM in response to BrandonHorn
    Level 1 (0 points)
    Dec 6, 2014 10:55 AM in response to BrandonHorn

    Interestingly, this issue occurs only on my 2013 Mac Pro (wired keyboard). My 2012 Macbook Air has Yosemite and a password of similar length and it does not have the issue.

  • by BrandonHorn,

    BrandonHorn BrandonHorn Apr 23, 2015 12:34 PM in response to BrandonHorn
    Level 1 (0 points)
    Apr 23, 2015 12:34 PM in response to BrandonHorn

    Additional information:

     

    The password field appears to be ignoring a single character early in the process of entering a password. By watching the password field I can see which character is ignored. The specific character ignored varies.

     

    I'm no longer sure that the issue is related to speed. I can enter my password as quickly as ever as long as I watch the password field and retype the ignored character.

     

    This observation is from 10.10.3. I don't know if the behavior was the same on older versions (I never noticed it previously).

  • by BrandonHorn,

    BrandonHorn BrandonHorn Oct 3, 2015 3:35 PM in response to OSX10
    Level 1 (0 points)
    Oct 3, 2015 3:35 PM in response to OSX10

    This appears to have been fixed in El Capitan. Yay.

  • by deborahashland,

    deborahashland deborahashland Apr 15, 2016 3:11 PM in response to OSX10
    Level 1 (4 points)
    Apr 15, 2016 3:11 PM in response to OSX10

    Running El Capitan and suddenly my admin password isn't accepted. To the best of my memory I haven't changed it, and have been using it for 4 years (OK, I know that's probably a bad idea.) The last time I shut my computer down and opened it up again, that was fine, but I have just been putting it to Sleep for weeks: now I'm afraid to shut it down.

     

    Now trying to update Java, or even change my password to my iCloud password, and it keeps saying "incorrect password." When it DOES show a hint, it's the hint for the password I know and am using.

     

    Thoughts?