How to gain access to a locked Mac

There are several perfectly legitimate reasons for wanting to gain access to a locked Mac. All of us at some time or other find our mind has gone blank and we can’t remember what we’ve typed in so often before. Or the person who did know that password may no longer be there to recall it for us.

Trying to guess a password is doomed to failure: Intel Macs with T2 chips and Apple silicon Macs only allow ten attempts at a password before you have to try in Recovery, and a maximum of fifty attempts in total before access to the internal Data volume is permanently barred, and that Mac has to be restored in DFU mode. Time intervals are also added between attempts, rising to as long as one hour.

There are three different needs for the password we might need to unlock a Mac: all models of Mac have a regular user password for each of their user accounts; when FileVault is enabled on any model, that requires a user password empowered to unlock its encryption; Intel Macs can also be protected by a ‘firmware’ password that controls all access to that Mac. How you tackle each depends on which version of macOS the Mac has booted from, and whether the password concerned is yours.

In the first instance, I’ll assume that the password you can’t remember is yours, and needs to be reset.

Catalina and later

Recent versions of macOS are simplest and most consistent of all. Click on the ? inside a circle at the right end of the password entry box, and you’ll see the password hint, if one was saved, and the text
If you forgot your password, you can…
Restart and show password reset options

And that’s exactly what you do. If that isn’t there, try entering a random password three times to see if that triggers its appearance, then click on that button.

This may give you the option of resetting your password using your Apple ID, in which case click the arrow next to that and provide your Apple ID and its password, then follow the instructions. The alternative is to use your Recovery Key if you’ve already obtained one, which is again selected by clicking on the arrow, after which you enter the key and follow the instructions.

For this your Mac needs to have an internet connection, and to have booted to the login screen. Further details are in this support article, and version-specific details are provided here.

Mojave and earlier

There are several ways you can reset a user’s password in older versions of macOS. You could do this from another admin account on that Mac, or using your Apple ID. The latter involves entering guessed passwords until you see an invitation to reset the password using Apple ID. Apple lists most of these in this article.

If FileVault is enabled, you may be able to reset the password using its special assistant. It isn’t obvious how to initiate this:

Leave the Mac at the login screen for a minute or so, until there’s a message telling you that you can press the Power button to shut down and start up in Recovery.
Then, press and hold the Power button until the Mac shuts down.
Press the Power button again to start it up.
The Reset Password window should appear, giving instructions.

Alternatively, you can use a Recovery Key, if you’ve already obtained one. Full details are given in this support article.

Firmware password (Intel)

A firmware password is set and removed in Recovery, and can normally only be removed if you know the password. If your Mac is old enough to have removable memory, it’s possible to remove one stick and reset the NVRAM three times, but that’s not guaranteed. The most reliable way to achieve this is to take the Mac to an Apple store, together with proof of purchase or ownership, and ask them to remove the firmware password.

Further information is in this support note, and in Mr. Macintosh’s article.

Missing owner

Those methods all assume that you’re the owner/user, have simply forgotten your login password, and can recall your Apple ID and its password. If the Mac belonged to someone who’s no longer there, and you don’t have access to their Apple ID, you won’t be able to use those options.

There are two further steps now available which you may find helpful. Provided that your Apple ID has two-factor authentication enabled, if you’re unable to sign in or reset your password, then you can ask Apple to perform account recovery. This isn’t immediate, but provided that you can satisfy Apple that your request is genuine, it should prove possible.

As of macOS 12.1 and iOS/iPadOS 15.2, Apple has added Legacy Contacts, but those must be set up before you need to use them. The Legacy Contact is then provided with an access key which they can use in the event that you can’t because you’re dead. Apple also needs to see a copy of the death certificate before giving full access to the account for a period of three years. Full details are here.

Still no solution

If you want to access the Mac but not its contents, it’s straightforward to return Apple silicon and T2 models to factory condition using Apple Configurator 2. That may not always be a good step, though: when you try to set that Mac up again, it checks in with Apple. If it has been registered as stolen, you could find that Mac becomes unusable.

If all else fails, then you’ll get expert advice and help from Apple stores, authorised service providers, and from the many independent Mac technicians around the world who are often only too familiar with these problems.

Virtual machines

Lightweight VMs running on Apple silicon Macs don’t support Apple ID. If you forget the password, you will still see its hint. If that doesn’t remind you of the correct password, then your VM is lost, as there’s no way to recover it.

11Comments

Add yours

1

Sydney Low on July 3, 2023 at 9:04 am

With Intel Macs, if I don’t need the contents, I’ve just booted up with an external disk and then re-formatted the internal HD and reinstalled an OS. Isn’t that the easiest approach?

LikeLiked by 1 person
- 2
  
  hoakley on July 3, 2023 at 6:18 pm
  
  It is if you’re not actually locked out. Unfortunately, it now applies to fewer Macs, as Intel Macs with T2 chips by default won’t boot from an external disk. And if you don’t happen to have an external boot disk already, and that’s your only Mac, there’s nothing you can do. So yes, it’s a solution that’s on its way out.
  Howard.
  
  LikeLike
  - 3
    
    Syd on July 3, 2023 at 11:54 pm
    
    Thanks Howard, Yes, I set my Macs to allow external boot.
    I didn’t know you can register a stolen Mac with Apple. Is this something new? Will then send you a GPS location if it turns up and attempts to be reset.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on July 4, 2023 at 7:20 am
      
      “I didn’t know you can register a stolen Mac with Apple”
      I don’t think that you can. Apple encourages those who have had Macs stolen to report them through local law-enforcement. There are also procedures in Find My [Mac] for dealing with missing Macs. Whether Apple receives or actions any information about those I don’t know, but I’m fairly confident that substantial thefts of Macs will be notified to Apple, and Apple can certainly refuse to complete their setup when someone tries to do so.
      Howard.
      
      LikeLike
5

Markus on July 3, 2023 at 9:31 am

At least with an older Macs it was possible to boot it with an installation disk. This allowed one to reset any account password. However only the account password got set, not the login keychain! With this method it was possible to gain accesss to any account but the secrets inside the keychain remained secret (and possibly lost forever)

LikeLiked by 1 person
- 6
  
  hoakley on July 3, 2023 at 6:20 pm
  
  Thank you.
  I don’t think that has worked for some years now, I’m afraid.
  Howard.
  
  LikeLike
7

Gideon on July 13, 2023 at 9:43 am

Thanks for your interesting article.
I was just confronted with a situation where someone had purchased an Intel T2 MacBook Pro second hand. The former owner had activated the iCloud feature Find My Mac and had forgotten to remove this before handing over the Mac. Recovery Erase worked but upon restart Activation Lock would require to enter the Apple ID password. The new owner was hence stuck with an unusable Mac. I tried DFU mode with Apple Configurator but it didn’t change the situation.
Do you know if Apple has a way to reset the Mac to factory defaults, removing the Find My Mac connection in the process?

LikeLiked by 1 person
- 8
  
  hoakley on July 13, 2023 at 9:47 am
  
  Although Apple might be able to, they should contact the person who sold it to them. They are still in charge of that Mac.
  Howard
  
  LikeLike
- 9
  
  hoakley on July 13, 2023 at 11:46 am
  
  Further information (sorry, I was up on the Downs): they can request Apple to remove the Activation Lock, but will need to provide Apple with proof of purchase or ownership. In some countries, they can initiate the request via this page.
  Howard.
  
  LikeLike
10

glottalstart on November 17, 2023 at 8:16 am

On older macs, running older versions of macos (basically pre-T2), you could start in single user mode, mount the drive and remove the .AppleSetupDone flag file. This would convince the mac that it has never been used and allows a new admin account to be set up upon restart. The unknown user password can then be reset from the new account and access is regained. This is of no use on more recent macs, as the secure boot system doesn’t allow single user mode without an admin password

LikeLiked by 1 person
- 11
  
  hoakley on November 17, 2023 at 8:38 am
  
  Thank you.
  I think SUM is long dead – it doesn’t exist in modern Recovery mode. For a while there was ‘SUM in Recovery’, but even that has gone, now there’s just Terminal, and that’s it.
  Howard.
  
  LikeLike