Change the Password in Mac OS X 10.7 Lion Without Knowing the Current Password
There are a few ways to reset a password in Mac OS X 10.7 but both of those methods require reboots. This approach is different, it lets you change the password of the user currently logged into Mac OS X Lion, without knowing the user password, and without a reboot:
- Launch the Terminal, located in /Applications/Utilities/
- Type ‘whoami’ at the command line to get the current users precise login name, which will look something like this:
- Type the following command, replacing ‘username’ at the end with the exact current users login name that you retrieved from whoami:
- Enter the new password once, hit return, and confirm the new password again hitting return
dscl localhost -passwd /Search/Users/username
The password is now changed.
No authentication is required, you simply enter the new password and confirm the changed password. This is much easier than the manual reset methods and it doesn’t require a reboot or any manipulation of user data in Mac OS X.
Remember that like anything else in the command line, capitalization matters, so if the username is reported back as “Will” that would be different than “will” – be sure to use the proper caps for the password to be changed.
This tip is undeniably useful for a wide variety of situations pertaining to system administration, troubleshooting, and theft recovery, but could also post a potential security risk. Regarding the security risk, it’s realistic to assume that if someone has a computer in their possession, little is safe unless the drive itself is encrypted.
This trick was included in a broader and more mischievous tip that we’ll stay away from, nonetheless thanks to Daniel for sending this in!
Update: Additional reports and comments are suggesting this is a bug in OS X Lion, if so we could expect a Security Update to Mac OS 10.7 in the near future that would remove the ability to run dscl without administrative authentication. We’ll keep you posted.
I got “Permission Denied. Please enter user’s old password:”
Any advice or other ways to change or reset password. I have OS X 10.7.5. Thanks.
i’ve tried it and it didn’t work. after i input the new password, it said invalid and ” DS Error: -14009 (eDSUnknownNodeName)” what should i do?
I got the same problem. Have you fixed it?
hey i tried doing this but when it asks me for the new password it wont allow me to type it and i even tried copy and pasting but it wont let me do you have any suggestions?
Does this still work? I am getting invalid path after putting in the new password.
i can’t see what I’m typing and when i enter new password it says invalid…
anytime you type a password at the command line you can’t see it, that’s how every command line password prompt works.
everytime i try to type the new password nothing happens,please help
I have tried as your advice:
Last login: Tue May 15 19:50:43 on ttys000
Mevis-MacBook-Air:~ mevihariyanti$ whoami
Mevis-MacBook-Air:~ mevihariyanti$ dscl localhost -passwd /Search/Users/mevihariyanti
but when I try to type new password it is freezing, So I couldn’t type anything on it.
You won’t see a password entered, it’s a typical security measure in unix. Enter the password and hit return and confirm it and hit return again, you will never see a password entered into the terminal.
When I’m in the TERMINAL, I do everything right. So when it brings me to ‘New Password:’ and then it says ‘Invalid Path’. What does that mean?
N/M I’m stupid. Now it says, ‘Permission denied. Please enter user’s old password:’ What am I doing wrong?
Help. This did not work for me. After entering my new password, it responded with:
Permission denied. Please enter user’s old password:
That means you need to enter your old password or use an Admin account
Thank you so much for replying so quickly to my post!
So are you saying that when I keyed in the “new password” it was my current password that I forgot? Not possible. But it doesn’t matter. I did find the following link which worked for me. Yes I did have to reboot from the Recovery HD, but it was easy. What annoys me now is that if it’s this easy to change an Admin password…what’s the point of having one …other than to have different settings, etc from other users in the house; but now I know it doesn’t protect me from anyone stealing my MAC and getting to my data.
Thanks again …here is the link for anyone who who is struggling with forgotten admin passwords.
i have tried to do this multiple times but it keeps asking for the old password which i do not have, i type in…
it comes up with user even though my username for my computer is Cody
then i tried both of the following…
dscl localhost -passwd /Search/Users/user
dscl localhost -passwd /Search/Users/user
after both it asks me for the new password but i am unable to type anything into the terminal, after i press return it says, permission denied, please enter old password
thats where my problem lays, i don’t know it!
what did i do wrong?
whoops, the sentence after the And… was supposed to be…
dscl localhost -passwd /Search/Users/Cody
sorry for the mistake!
its not working for 10.7.2
its still askd for old passwd
is there any other way?
Yes, you can reset a password this way:
Thanks it saved my time..
when I did tried it still asked for the old users password
WOW thanks sooo much! didn’t think it would work!!
it does not work anymore.
[…] a Comment We recently wrote about the dscl utility and how it allows a Mac OS X Lion user to change a password without knowing the existing password. The lack of required admin authentication has since been widely reported as a bug, and a small […]
type this command in the terminal, it fixes the problem.
sudo chmod 100 /usr/bin/dscl
[…] fallo se ha descubierto en Lion. Hace años que un agujero de seguridad parecido a este dejaba a merced de cualquiera el […]
If it is so simple to change a password I wonder what is the meaning of security on Mac?……
@Wowzers, I can see a possible truth in your statement, yet, it is irrelevant. 99% of the web is right in this case, it needs to be fixed. Of course, since that LDAP hole is not fixed either, we might as well wait upon the convenience of the central planners.
The tool itself isn’t a bug, the bug is not to require sudo
99% of the web doesn’t understand this.
dscl . -passwd /Users/
NB: srch dir’s redundant.
Another good reason not to use Lion as main OS!
Long live SL!
@jim: yes, changing permissions could actually do the trick. But this would require at least a minimal shell knowledge and many users won’t go that forward. IMHO.
An official fix is advised.
@M: it’s not actually a real directory but a logical path used by dsctl and of course you won’t find it on your filesystem.
I’ve just checked and the bug (since allowing to change a password without any check IS a bug) is present on 10.7.1.
Hope we’ll have this fixed soon.
You’ve got to be kidding me… of course this is a bug!! Damn Lion… :-(
Why does everyone think it’s a problem? On Windows you never needed to know current password to change to new one. Just right click on user under system manager and select Reset Password. Windows wont ask you for the current.
Where is this /Search directory? As far as I know, this directory never existed in a Unix system. So, this recipe doesn’t work as expected and we have nothing here.
This is a bug, not a feature. It freaks me out.
I’m unfamiliar with the intricacies of this app, but is a simple quick stopgap fix for it:
sudo chmod go-x /usr/bin/dscl
on the command line? That’ll knock out execute permissions for anybody except root on it, effectively requiring authentication to run it.
Is it that simple to patch? Or am I missing something bad that could come from doing this?
Out of interest, as it’s a similar idea. Is there a command for Terminal that changes the user’s account name?
The real security risk here is that ANY app could activate this command and change your password because it doesn’t even ask for credentials! This would be a freakishly easy trojan to install on a victims machine, Apple HAS to patch this ASAP!
Assuming the “mischievous tip” is about cracking passwords, it’s still on your Facebook wall.
I suspect a patch will be released by Apple so that sudo is required to use dscl, it would be a simple and immediate fix to any threat posed by this.
That’s not a tip. It’s a bug.
Very possible, if so I agree with Anderson (other commenter) that the solution is to require administrative privileges to use dscl.
Would be nice to know what the “more mischievous” tip is – especially from an IT Administrator’s perspective.
It is probably this, it is sitting on their Facebook page:
For better or worse, it has been posted in the comments and on Facebook
This is a great tip but also kind of freaky that it’s so easy. Granted 99.9% of Mac users don’t know Terminal exists let alone how to use it, this just goes to show that using FileVault is an exceptionally good idea.