How To Retrieve Forgotten Web Site & Browser Passwords in Mac OS X via Command Line
You can retrieve forgotten website and browser passwords by using a command line tool in Mac OS X. This is a handy feature that gives you access to the Keychain via Terminal.
How many times have you forgotten the password to a website? Don’t feel bad because it happens to the best of us. The good news is that if you use the Mac OS X Keychain feature to keep track of login information for websites through your browser (you know when the browser asks to save/store your login information?), you don’t need to worry, all you need is the websites URL and you’ll be able to retrieve a forgotten password as long as you’re logged into the same user account that you originally saved it with. This will work for all websites that have stored information through Chrome, Safari, Firefox, and it should work for any other browser as well. This is a great alternative to using the “password reset” or forgotten password features that are multi-step processes on many web sites and services since it doesn’t require any internet connectivity.
Important security note: There is some minor potential for security breaches with this trick, but as long as you don’t let random people log into your user account that should not be an issue – that’s what guest login is for anyway. On the other hand, there is legitimate value here for forensic purposes and for some unique system administration cases, and it’s also just infinitely helpful to those of us who forget a password and don’t want to go through the entire reset process through a particular web service. Nonetheless, this does allow a user to reveal stored passwords for that same users account, so be aware of the potential privacy and security implications.
Recovering a Forgotten Browser Password via Command Line on Mac
The basic command syntax to retrieve a stored website password looks like the following:
security find-internet-password -s [url] -w
Because this account security is a sensitive topic, let’s break down the command string so you’re not blindly issuing command strings to reveal login information. The “security” command is a front end to the Keychain which is what Mac OS X uses to store saved login information, “find-internet-password” is the primary flag with an unusually obviously descriptive name, -s is used to specify the URL to match, and -w tells the security command to report back only the password and not the full key listing, which is otherwise a bunch of gibberish.
This needs to be entered into Terminal, found in the /Applications/Utilities/ directory or through Launchpad in the Utilities folder. After you hit Return, you would see a pop-up window will appear that says the following “security wants to use our confidential information stored in “domain-you-specified” in your keychain. Do you want to allow access to this item?”
Clicking “Allow” is what you’d want to do to reveal the password. Choosing “Always Allow” is not recommended, and “Deny” would prevent the password from being revealed.
Example Password Retrieval from Keychain at Command Line
We’ll use the website “getpocket.com” as an example domain, because it’s a service that I use frequently and I happened to have just recently forgotten the password to, despite having it saved in both Safari and Chrome on the Mac and the accompanying app in iOS. Because I don’t remember the password but it is stored in the browsers, this is a perfect case to use the security command to retrieve it.
The command string would thus be as follows:
security find-internet-password -s getpocket.com -w
Click “Allow” at the dialog when requested.
You’ll find the only thing reported back is a single line containing the password, making the entire command string and standard output look something like this:
$ security find-internet-password -s getpocket.com -w
(no, that isn’t a real password)
If you plan on using this for scripting purposes, you may want to try the -g flag instead combined with grep to view the password, that syntax would be:
security find-internet-password -s DOMAIN -g | grep "password"
The output of which looks like “password: (actualpassword123)” making it easier to identify.
Limited to Saved Passwords Stored in Web Browsers
This specific function is limited to saved passwords that are stored in a web browser, though it doesn’t matter which browser so long as it uses Keychain for storage rather than a password manager. Because of this, this is not a solution for retrieving forgotten Mac login passwords (go here for that instead) or other login information that isn’t specifically for a web site or service.