8 Replies Latest reply: Aug 28, 2010 12:48 PM by jsd2
OrangeMarlin Level 5 Level 5 (5,140 points)
Two questions:

1. When I do a full erase of a Mac (for example, if I give an old one away), does the Master Password get erased?

2. When I migrate an older Mac to a brand new (using firewire), does the Master Password get transferred over?

Thanks.

MacBook Pro i7, 17". iPhone 4 (32GB). iPad 3G (64GB). Magic Trackpad., Mac OS X (10.6.4), No Windows here
  • William Lloyd Level 7 Level 7 (20,655 points)
    Are you talking about the FileVault master password? That would get erased if you did a full erase and uninstall, yes. It's actually associated with your Filevault Sparse Image, and not the machine itself.
  • OrangeMarlin Level 5 Level 5 (5,140 points)
    William Lloyd wrote:
    Are you talking about the FileVault master password? That would get erased if you did a full erase and uninstall, yes. It's actually associated with your Filevault Sparse Image, and not the machine itself.


    I didn't know it was called the FileVault password. In System Preferences, it's called "Master Password", then says you can unlock any account with it. It is under the FileVault tab though. Anyways, if we're talking about the same password, then you're saying it's gone once the HD is erased?
  • William Lloyd Level 7 Level 7 (20,655 points)
    That password is not for accessing "any account." There is no way to do that (well, you can log in as root and do things). The master password is specifically for FileVault. It is basically a second password which can decrypt any FileVault home directory on that machine, if you set it up (it's basically a "second chance."). If you are not using FileVault, then the Master Password does not apply. You cannot use the Master Password to log into a different account.

    And if you erase and re-install the OS (you must go to disk utility and erase the disk), then all passwords, all data, everything (including the master password) are erased.
  • OrangeMarlin Level 5 Level 5 (5,140 points)
    William Lloyd wrote:
    That password is not for accessing "any account." There is no way to do that (well, you can log in as root and do things). The master password is specifically for FileVault. It is basically a second password which can decrypt any FileVault home directory on that machine, if you set it up (it's basically a "second chance."). If you are not using FileVault, then the Master Password does not apply. You cannot use the Master Password to log into a different account.

    And if you erase and re-install the OS (you must go to disk utility and erase the disk), then all passwords, all data, everything (including the master password) are erased.


    Actually, in System Preferences, it says "This is a "safety net" password. It lets you unlock any account on this computer." Unless I'm misreading it, it is not specifically for FileVault it has some greater power!

    But you've answered my burning question about erasing it.
  • William Lloyd Level 7 Level 7 (20,655 points)
    It is specifically for FileVault. Go to Help for System Preferences, and type in "Master." You'll get more details, specifically:

    Creating a master password

    You can create a master password to allow access to any account protected by FileVault. If users forget their passwords for a FileVault-protected account, you can use the master password to access the account and change the FileVault password. You should create a good, secure password for your master password.

    WARNING:Don’t forget your master password. If you turn on FileVault and then forget both your login password and your master password, you won’t be able to log in to your account, and your files and settings will be lost forever.
  • OrangeMarlin Level 5 Level 5 (5,140 points)
    Thanks for clarifying. But it is NOT clear on System Preferences. Oh well, I never use FileVault, so now I know.
  • William Lloyd Level 7 Level 7 (20,655 points)
    I agree it's not all that clear in System Preferences... with the caveat that it is on the FileVault tab

    I had to resort to using the help, just to be sure... which means it could be clearer!
  • jsd2 Level 5 Level 5 (6,200 points)
    I was curious and just tested this on a Snow Leopard startup volume that contained a FileVault account and therefore already had a Master Password. I created a new non-FileVault account there, and found that I could reset that account's password by using the Master Password which had been established for the FileVault account:

    !http://i36.tinypic.com/5ofnly.jpg! ------->



    !http://i33.tinypic.com/6yjnsm.jpg!


    The wording in the documentation is not really clear. I agree that the Master Password is geared toward Filevault, and in fact the Master Password info is stored in these two files:
    /Library/Keychains/FileVaultMaster.keychain
    /Library/Keychains/FileVaultMaster.cer

    Still, it doesn't say anywhere in the documentation that the Master Password won't work for non-FileVault accounts, and in fact it does work!