Whenever you start your Mac up, it should prompt you for a password. What do you do, though, if you type your password and it won’t let you enter, or if you forget your password altogether? Or if you’re prompted from a screen or dialog that you don’t recognise? This article unravels which password is which, and what do try when it doesn’t work.
The first thing to remember is that there are several quite different passwords, which do different things. Before deciding which password to enter, you should work out what it is going to be used for.
Firmware password
Most recent Mac models let you set a firmware password which limits access to that Mac. Although this is quite a deliberate act, some users have felt that a firmware password has been set for them, perhaps during a major macOS upgrade.
Unlike in the past, you are not prompted for your firmware password unless you try to start your Mac up from a different startup volume. When starting up from its normal startup volume, you should still log in normally, with your normal user password.
Firmware passwords are available on:
- MacBook Air, Late 2010 and later
- MacBook Pro, Early 2011 and later, and all Retina display models
- MacBook, Early 2015, Retina, 12″
- iMac, Mid 2011 and later
- Mac mini, Mid 2011 and later
- Mac Pro, late 2013.
Firmware passwords are set, changed, and removed in Recovery mode. However, you can only enter Recovery mode after you have entered the firmware password correctly, following which you can use the Firmware Password Utility in its Utilities menu.
If you are unsure whether you are being prompted to enter a firmware password, then it is a good test to try entering Recovery mode. All other password protection including FileVault will let you straight into Recovery mode normally; if there is a firmware password set, you will see a unique white-on-black dialog consisting of a locked padlock icon (in white), with a text box in which to enter the firmware password. This will also be shown if you try to start your Mac up from an external drive, including a USB stick.
As a firmware password is designed to prevent anyone from trying to break into your Mac, there is no way around it which you can use to get into your Mac. If a firmware password has been set and you are unable to enter it correctly, you will need to take your Mac to an Apple Genius Bar or an authorised service provider. You will need to prove to them that you are its legitimate owner, preferably by showing them the original proof of purchase.
Moral: if you set a firmware password, keep a copy of it in a secure place so that you can always unlock it, and keep your original receipt for your Mac somewhere safe and accessible too.
If you were ever to use Find My Mac to lock and locate your Mac, that uses the firmware password system too, but displays a different lock screen which requires entry of the code created in the Find My Mac website. You cannot use that to bypass a normal firmware password, though.
FileVault password
Leave your Mac at the login screen for a minute or so. In that time, if FileVault is turned on, you should see a message telling you that you can use the Power button to shut down and start up in Recovery mode. Press and hold the Power button until your Mac shuts down, then press it again to start it up. This should produce the Reset Password dialog, which will walk you through the process of resetting your password. At the end of that, you will restart your Mac, and should be able to log in using a new password.
If you created a FileVault recovery key, you can use that to reset your password more directly. Keep entering passwords until you are invited to reset your password using the key. Next to that is an arrow: click on that and you will be invited to enter your Recovery Key. This will lead on to creation of a new password, which you can then use to log in.
Moral: if you use FileVault encryption, always keep a copy of your password in a secure place in case you need it to remind you. Never keep that password with or near the protected computer, though.
User password
First check that you are not entering your password with the Caps Lock on: this is now shown in the password field to remind you. Step carefully through entering your password, ensuring that you use the correct characters, e.g. capital-O versus number zero 0. If the password entry field shows a question mark ?, click that to see your password hint.
If you have set a blank password, try entering no password at all. If you changed your password, try the old password as well as the new one, even your Apple ID password, perhaps.
Some versions of macOS allow you to use your Apple ID: enter three incorrect passwords and you may then be invited to reset your password using your Apple ID. If this doesn’t appear, then it isn’t available.
If there is another admin account on that Mac, you can log in using that account, and reset the password on your own account.
It may also be possible to reset your password from Recovery mode, using Disk Utility and Terminal there. When your Mac starts up in Recovery mode, select Disk Utility. Then with that running, open Terminal in the Utilities menu. At its command prompt, enter
resetpassword
and press Return. Select your normal startup volume, then select the account in the Select the User Account dialog. Complete the next sheet with the new password and its hint, and click on Save. Once that is complete, you can restart in normal mode and should be able to log in using the new password.
Moral: keep a copy of your username and password in a secure place. Never keep those with or near your Mac, though.
Apple ID password
Normally prompts for the password which accompanies your Apple ID include that Apple ID, to make it clear which account they are for. If you have forgotten your Apple ID password, or your password doesn’t work, Apple support can arrange for it to be reset. This is not as straightforward as it used to be, though, because of its security implications.
Moral: keep a copy of your Apple ID and password in a secure place. Never keep those with or near your Mac or any iOS device, though.
When you have changed your user password
When you use any of the above methods to change your user password, your original keychain will still be protected by your original password. The only way that you can gain access to it is to unlock it using that password, then change its password to your new one.
If you don’t know your old password, or it will not accept it, you will be unable to access it, or any of the passwords and certificates stored in it. Your Mac should automatically create a new, empty keychain for your new password. If it does not, and particularly if it keeps prompting you for your old password (trying to open your old keychain), open Keychain Access, open its Preferences, and click on the Reset My Default Keychain button there.
Moral: keep a written record of your username and password in a secure place, so that you will never lose access to your keychain. Keep backup copies of your keychain.
Desperate measures
So long as you have not set a firmware password, there is one method which can always get past a lost FileVault or user password: starting up in Recovery mode, initialising your startup volume, and re-installing. This will wipe everything, of course, so you’ll need a rock-solid backup from which to restore all your documents, keychain, and so on. It will also take a lot of time.