Q: OSX rejects correct password on boot (but nowhere else)
Hello all,
We've recently updated several Early2008 MBPs (Snow Leopard) to Late2013 MBPs (Mavericks). With these new machines, OSX intermittently (more than 90% of the time) rejects correct login passwords from cold boot (when unlocking FileVault2 images), but nowhere else.
OSX never rejects passwords when:
-waking from sleep.
-authenticating in OSX environment
-unlocking FileVault2 images from warm boot (restart, from either Windows or MacOS)
-administrator password is shorter than 17 characters (machines only exhibit this issue if passwords are 17 characters or longer; we can shorten our passwords and then the issue goes away, but comes right back if we make the passwords longer.
-Password length does not matter when cold boot logging in as a standard user account (not an administrator).
Typical machine details:
-Updated from 10.6.8 to 10.9.x, then to 10.9.4. Note: we cannot upgrade to 10.9.5 until it is verified by our certification lab.
-Using FileVault 2.
-Migration Assistant was NOT used. Relevant files were copied over. Fresh install from Apple.
-Passwords are alphanumeric only, with numbers, capital and lowercase letters.
-OSX Server is not used in our environment. Run of the mill Mavericks.
-Key repeat rate set to 'fast' (only set when in userland). Delay until repeat is 'short'
-firmware lock enabled (note: issue still persists when disabled)
Example:
0. Machine is off.
1. On first boot, admin attempts to log in and 24 digit password is repeatedly rejected. It does not matter how slowly password is entered.
Note: It is difficult to verify password length after the first 16-20 digits, as the GUI is only wide enough to display that many (?) characters. Arrow keys are used to verify password length.
2. After successfully logging in, admin successfully enters password on first try numerous times throughout workflow.
3. Admin restarts (warm boot) and successfully enters password on first try (every time).
4. Repeat
Workaround:
A. Create a dummy standard user account with 20 character password.
B. on cold boot, login as standard user.
C. log out and then log back in as admin user.
Unacceptable workarounds:
-Use admin password less than 16 characters (company policy requires 20 characters or more for admin accounts).
Questions:
-Does the computer time need to be correct to successfully unlock a FileVault2 image?
-Do these new MBPs not have a persistent time tracking device (like the old ones)? Our machines often have the incorrect time until they can sync with time.apple.com
-What is different about warm versus cold FileVault2 booting?
-Has anyone else seen this behavior?
MacBook Pro with Retina display, OS X Mavericks (10.9.4), FileVault2 and firmware lock.
Posted on Sep 25, 2014 2:42 PM