Pre-2011 Macs store the system password in a very insecure way which permits easy password recovery if the user can boot into the system and has root / Administrator priviledges. This post details how to simply erase or recover that system password.

Introduction

Just like the BIOS password in PCs, Macs feature an optional password protection before the operating system is booted. When enabled, the user by default only has to enter this password when the system is booted into recovery mode or from an alternative disk (like CD, USB, etc.). Put another way, the user does not have to enter the password if he boots into his normal OS. While this is extremely convenient, it makes the user type his system password very infrequently. In my case, I think I haven’t typed it on one of my machines for a couple years. Which leads to a problem: What the heck was that password again?

Method 1: Reset PRAM to erase a system password

Using this method the system parameter memory including the system password will simply be erased.

Prerequisites

• Pre-2011 Mac (MacBook, MacBook Pro, MacBook Air, iMac, etc.)
• Mac boots into Mac OS X
• User has administrative (root) priviledges

Procedure

1. Open Terminal
2. Type this command and enter your user password when requested:

   sudo nvram -c

3. Reboot.

Method 2: Recover the password

Prerequisites

• Pre-2011 Mac
• Mac boots into Mac OS X
• User has administrative (root) priviledges
• Xcode is installed

Procedure

1. Open the Terminal
2. Use a text editor (e.g., nano) to create a text file called decode.cpp with this content:

   #include <iostream>
   #include <stdlib.h>
   
   using namespace std;
   
   int main(int argc, char **argv)
   {
      char buff[256]; 
      cin >> buff;
      cout << "Recovered Password: ";
      for (int i=1;i<strlen(buff);i+=3)
      {
         int first = strtol(&(buff[i]), NULL, 16);   
         first ^= 170; cout << (char) first;
      }
      cout << endl;
   
      return 0;
   }
   

   This code is derived from a code listing on Gavin Brock’s Perl page.

3. Compile the program:

   g++ -o decode decode.cpp
   

4. Decode the system password and enter your user password when pompted by sudo:

   sudo nvram -x security-password | awk -F '[\t]' '{print $2}' | ./decode

The program’s output should contain the decoded system password.