Disable MacOS Password Change via Terminal?

Question

Level 1

42 points

Disable MacOS Password Change via Terminal?

Is there a way to disable the ability to change a macOS password using the Terminal window as part of putting the Mac in ‘Recovery’ mode?

This is a “frightening” capability, because it allows “anyone” (who knows how to do this) to break into any Mac! All someone would need to do is use this ‘feature’ to change the password (on any Mac), then just log in using the new password they created!

Granted, Keychain information may be disabled, but it still allows someone to see all of the contents (for the affected user account) on the computer - even if the ‘legitimate’ user has turned on FileVault.

For those people that want to put more confidential / personal information on their Mac, this is a huge risk.

MacBook Pro 15″, macOS 14.0

Posted on Jun 11, 2023 6:51 PM

Reply

Answer 1

Best reply

dialabrain

Level 10

122,759 points

Jun 11, 2023 7:06 PM in response to rckingsley

You can set a firmware password. Then no one, including yourself can log in or start Recovery Mode without knowing it.

Use macOS Recovery on an Intel-based Mac - Apple Support

Use macOS Recovery on a Mac with Apple silicon - Apple Support

Reply

Answer 2

Jun 11, 2023 7:11 PM in response to rckingsley

The associated Apple ID or the FileVault recovery key or equivalent is required for the reset.

https://support.apple.com/en-us/HT212190

Use FileVault to encrypt your Mac startup disk - Apple Support

https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf

If the storage is not encrypted, there are other issues awaiting the configuration, such as data security around parts swaps for repairs, or the inevitable decommissioning of the Mac.

Reply