MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security
A relative I provide support for has had a series of Macs over many years and currently has a MacBook Air with macOS Sierra. She has forgotten the login password to her "standard user" account. (Her Macs have always been set to log her in upon startup, so she has not needed it. I installed an admin account with a password I know on her very first system and use that for migrations/updates/upgrades, so I've not needed it either.)

She has managed to have Safari save dozens of username/password combinations for one particular website, so she never knows which one to use. She saved all these sets of credentials because she has an email with instructions to create an account, and whenever she forgot how to log in (and/or couldn't decide which of the already-saved usernames to use), she would just create a new account and have Safari save those credentials. The website deactivates the old account when she creates a new one, but Safari doesn't know that, of course.

I'd like to have her delete the useless saved credentials so she just has one username/password saved for the website. However, they aren't available in Keychain Access, and when she clicks on the "Passwords" button in Safari's preferences, it asks for her login password with the message "Passwords are locked. To unlock passwords, enter the password for the user 'her name'."

All I can find on the web is instructions for resetting her login password, which loses everything in her login Keychain, including usernames and passwords saved by Safari, Wi-Fi network passwords, etc. Is there any way to avoid that, and either
(A) find out her existing login password, or
(B) delete the extra usernames/passwords saved by Safari?
 


... Is there any way to avoid that, and either
(A) find out her existing login password, or
(B) delete the extra usernames/passwords saved by Safari?
Have you tried logging onto the computer using your admin account then changing (not erasing or fully resetting) your users' password in System Preferences/Users & Groups?

Keep in mind, though, I don't use Safari's password storage function so I don't know if changes made in Users & Groups carry over to Safari as well.
 


Have you tried logging onto the computer using your admin account then changing (not erasing or fully resetting) your users' password in System Preferences/Users & Groups?
Thanks for the suggestion, but it doesn't work.

If logged into the admin account, after selecting the standard user in the list on the left, the only button is "Reset password…", which leads to a dialog that says
Resetting the account password doesn't reset the password for the user's login keychain. To reset the password for the "login" keychain, use Keychain Access, located in the "Utilities" folder.
If logged in as the standard user, you can "Change Password…" in Users & Groups, but it asks for the old (existing) password, which is the one the user has forgotten.

In Keychain Access, the only "login" keychain that you can change is the one for the logged-in user. And you can only do that by supplying the "Current" password -- the one that's been forgotten.
 


I have an old iTunes Store account which receives codes from Apple via SMS for use at login. These codes are four-digit numbers. I can't remember why the account hasn't been switched to Apple's proprietary login code-sending system...but this is another possibility for the "mystery" code we're discussing here.
That's 2SV. If you've never used that Apple ID to sign into iCloud on an iOS 11+ or macOS High Sierra+ system, it would not have been automatically converted to 2FA.
At this point, I think it might be helpful if GSpain could post a step-by-step sequence of the steps he's following, including the exact wording of all prompts and input requests.
Or maybe some screenshots.
 



Helping a friend of mine reuse her father's iPhone and iPad, but not knowing the Apple ID password, and no longer having access to the email address associated with that Apple ID, since that account had been cancelled for a few years, we ended up calling Apple to reset the Apple ID password and were able to do that by just having him explain that we no longer could get the email reset message.

In this case, since we were able to unlock the devices and even get his iCloud email on the devices, as well as answer some of the security questions (memory is not so good in 88-year-olds, and who remembers exactly how to spell the weird name of a dog now long gone from this world?), we were able to satisfy Apple that we were legitimate, and they eventually sent a magic signal to the devices to allow us to reset the Apple ID password (it took a couple of days for them to send it out).

If one of us were to have just faked a quivering voice of an older gentleman, we could have done all of that without him actually still being alive. I would probably go that route before trying to produce death certificates. It might be less effective if you have already told them that he is deceased and somebody has noted it in his file.

Putting password information in the safety deposit box with your will might be a good idea.
J-Beda, thanks for this information. This may be my best, or only, way out of this situation.
 


Thanks to all of the MacInTouch community who contributed information to my situation. Every idea you proposed,I will explore. I've learned a great many things about Apple security and IOS during this discussion. The input from this community was welcomed but never doubted. This is the premier Apple/Macintosh information site on the net.
 


Has anyone had any luck with or used iMyFone LockWiper? The software seems perfectly suited for this situation. There is a caveat that the iOS device can't be in iCloud Activation Lock mode, but that doesn't seem to be the case here, at least not yet...
I wouldn’t try it, because it seems to be another amongst many [others] who promise to do the impossible!

By reading their own ‘review’ by themselves, it appears to me that this so called miracle software is only making you pay for instructions on how to put your iOS device in DFU mode:
imyphone said:
<https://www.imyfone.com/unlock-iphone/imyfone-lockwiper-software-review/>

Until now, no software or tool including iTunes can remove iPhone/iPad passcode without erasing device data. Hence, LockWiper erases device data when removing iPhone passcode or lock screen.
 


Thanks to all of the MacInTouch community who contributed information to my situation. Every idea you proposed,I will explore. I've learned a great many things about Apple security and IOS during this discussion. The input from this community was welcomed but never doubted. This is the premier Apple/Macintosh information site on the net.
I hope you will come back and post if you are successful or not, since it sounds like you're signing off from this discussion for now.
 


A relative I provide support for has had a series of Macs over many years and currently has a MacBook Air with macOS Sierra. She has forgotten the login password to her "standard user" account.
...
All I can find on the web is instructions for resetting her login password, which loses everything in her login Keychain, including usernames and passwords saved by Safari, Wi-Fi network passwords, etc. Is there any way to avoid that, and either
(A) find out her existing login password, or
(B) delete the extra usernames/passwords saved by Safari?
I haven't tried it but if you still have an admin account, you could sign on as the root user.
Apple Support said:
I think you will have access to her user keychain info if signed on as root.
 


I haven't tried it but if you still have an admin account, you could sign on as the root user. I think you will have access to her user keychain info if signed on as root.
Thanks for that suggestion. I'll try it out next time I have access to her machine, probably not for a week or two and report back.
 


I wouldn’t try it, because it seems to be another amongst many [others] who promise to do the impossible! By reading their own ‘review’ by themselves, it appears to me that this so called miracle software is only making you pay for instructions on how to put your iOS device in DFU mode...
I am in no way championing this software, and it may well be smoke and mirrors, but if I were to get an iOS device from a friend and wanted to make it my own, I would have no problem with the device being erased in the process.

This MacInTouch site has a tremendous amount of very knowledgeable users willing and able to get their hands dirty, so to speak, with the inner workings of their computers and devices. That is not to say everyone visiting this site is or does. To some, a piece of software that does the down and dirty work for them may be an appreciated option.
 


Could someone post, or point me to, instructions to disconnect an old iMac from the Appleverse so that it can be erased and ownership transferred to another iCloud account and Apple ID?

It's staying in the family but as a document server and for efax and scanner support.

I must say I haven't kept up with all the authentication issues. It appears that a simple "Erase Macintosh HD" procedure will leave the machine ID linked to Apple in some way which I would like to avoid.

Thanks for the help.
 


Ric Ford

MacInTouch
Could someone post, or point me to, instructions to disconnect an old iMac from the Appleverse so that it can be erased and ownership transferred to another iCloud account and Apple ID?
Here you go, Jim - hopefully, this will cover it, but let us know if not:
Apple Support said:
And, for additional reference, what to do with iPhones and Apple Watches:
Apple Support said:
Apple Support said:
Apple Support said:
Find My iPhone Activation Lock
When you turn on Find My iPhone on your iPhone, iPad, or iPod touch, your Apple ID is securely stored on Apple’s activation servers and linked to your device. From that point on, your Apple ID password or device passcode is required before anyone can turn off Find My iPhone, erase your device, or reactivate and use your device.
Apple Support said:
 



A relative I provide support for has had a series of Macs over many years and currently has a MacBook Air with macOS Sierra. She has forgotten the login password to her "standard user" account. (Her Macs have always been set to log her in upon startup, so she has not needed it. I installed an admin account with a password I know on her very first system and use that for migrations/updates/upgrades, so I've not needed it either.)
She has managed to have Safari save dozens of username/password combinations for one particular website, so she never knows which one to use. She saved all these sets of credentials because she has an email with instructions to create an account, and whenever she forgot how to log in (and/or couldn't decide which of the already-saved usernames to use), she would just create a new account and have Safari save those credentials. The website deactivates the old account when she creates a new one, but Safari doesn't know that, of course.
I'd like to have her delete the useless saved credentials so she just has one username/password saved for the website. However, they aren't available in Keychain Access, and when she clicks on the "Passwords" button in Safari's preferences, it asks for her login password with the message "Passwords are locked. To unlock passwords, enter the password for the user 'her name'."
All I can find on the web is instructions for resetting her login password, which loses everything in her login Keychain, including usernames and passwords saved by Safari, Wi-Fi network passwords, etc. Is there any way to avoid that, and either
(A) find out her existing login password, or
(B) delete the extra usernames/passwords saved by Safari?
I think your friend is hosed, at least as far as recovering any login/password pairs from her keychain — unless she suddenly remembers her account password.

By default, the keychain uses the same password as the user's Mac account. However, if the user account password is lost and reset, the original keychain password remains unaffected. Since the keychain file uses AES-256 encryption, that's the end of that, at least unless your initials are NSA. And no, it's not accessible to the root user.

Depending on how large your user's online footprint may turn out to be, reconstructing her keychain contents is either going to be a major annoyance or a monster PITA. Some people need a lengthy/obscure user account password (and/or FileVault), but most ordinary users probably don't. They should use something that's easy to type reliably and to remember, and have it written down somewhere, just in case.
 


I think your friend is hosed, at least as far as recovering any login/password pairs from her keychain — unless she suddenly remembers her account password.
By default, the keychain uses the same password as the user's Mac account. However, if the user account password is lost and reset, the original keychain password remains unaffected. Since the keychain file uses AES-256 encryption, that's the end of that, at least unless your initials are NSA. And no, it's not accessible to the root user.
Depending on how large your user's online footprint may turn out to be, reconstructing her keychain contents is either going to be a major annoyance or a monster PITA. Some people need a lengthy/obscure user account password (and/or FileVault), but most ordinary users probably don't. They should use something that's easy to type reliably and to remember, and have it written down somewhere, just in case.
Didn't Apple provide some option to use one's AppleID password in place of the Mac admin password? I'm not sure what else needed to be implemented (perhaps she needed to be logged into iCloud?).
 


I think your friend is hosed, at least as far as recovering any login/password pairs from her keychain — unless she suddenly remembers her account password. By default, the keychain uses the same password as the user's Mac account. However, if the user account password is lost and reset, the original keychain password remains unaffected. Since the keychain file uses AES-256 encryption, that's the end of that, at least unless your initials are NSA. And no, it's not accessible to the root user.

Depending on how large your user's online footprint may turn out to be, reconstructing her keychain contents is either going to be a major annoyance or a monster PITA. Some people need a lengthy/obscure user account password (and/or FileVault), but most ordinary users probably don't. They should use something that's easy to type reliably and to remember, and have it written down somewhere, just in case.
I wasn't sure about root, but I thought I'd mention it as something he could try.

I agree entirely about user login passwords. I tell my elderly relatives to turn off auto login but make the password simple and memorable (and write it down somewhere). In this way they have to regularly use the password so if one actually has to access Keychain or install softwar, one can actually do it.
 


Yes, a good idea for those who have wills, though if you put your will in a safe deposit box, at least be sure your lawyer has an executed copy and there's a plain old photocopy around and handy. Helps get in the safe deposit box, which may be "sealed" on your death.
In my career working the estate field, I've had bank customers who, toward the end, couldn't find the bank, and if they remember they have a safe deposit box, couldn't turn up the key. Then there are gentlemen like our original poster's friend. Few assets, no will, no safe deposit box - and no suspicion there was a "gotcha" password that would lock his friend out of the iPad, even though the friend had the log-in code. It was news to me.
We make fun of people who write their passwords and paper and keep them near the computer. That's actually pretty safe, as burglars are more likely to grab the computer and run than search nearby passwords and try to raid online accounts. However you store passwords - paper, USB key, online - it's important that someone else know your method and have access, "in case you're hit by a bus."
InfoSec Resources said:
A principle which is a core requirement of information security for the safe utilization, flow, and storage of information is the CIA triad. CIA stands for confidentiality, integrity, and availability and these are the three main objectives of information security.
It is very common for users to worry about information disclosure (confidentiality). It is much less common for users to worry about information loss (integrity and availability). This makes a [paper] notebook in the desk drawer with locations and credentials along with support contacts a very valuable asset. When you help someone, be certain to explain this and even give them a small bound lab notebook. Enter as much as you can yourself. It will be useful to the user and to you for years on.

This is equally important as backups - Time Machine is the bare minimum for any macOS user. If you use a safe deposit box, you might consider granting a key and access to a trusted third party.
 


Didn't Apple provide some option to use one's AppleID password in place of the Mac admin password? I'm not sure what else needed to be implemented (perhaps she needed to be logged into iCloud?).
Yes they did, although you have to affirmatively opt in to that. Somehow this didn't seem like a case where that might be likely, but to be proven wrong would be great.

And to be clear, using your iCloud password isn't an override to log in to your user account in case you forget the normal password; it's a substitute that can be chosen at initial setup of the user account (or later by changing the password). The obvious downside is that if you then forget the iCloud password, you'd be locked out of both your Mac and your iCloud account. Ouch.
 


Thanks to all of the MacInTouch community who contributed information to my situation. Every idea you proposed,I will explore. I've learned a great many things about Apple security and IOS during this discussion. The input from this community was welcomed but never doubted. This is the premier Apple/Macintosh information site on the net.
At some point when I set up my iPhone, I had to give a 4-digit PIN for iCloud setup. This was independent of my Apple ID credential and my iPhone unlock code. Could this be what is missing? (And if someone already addressed this, my apologies for a duplicate answer.) And if I remember correctly, I have not been asked for the PIN since I set it up.
 


I tell my elderly relatives to turn off auto login but make the password simple and memorable (and write it down somewhere). In this way they have to regularly use the password so if one actually has to access Keychain or install softwar, one can actually do it.
I keep a record of my passwords, too, but never delete/erase the old ones, as I’ve had to walk my way through the list on a few occasions trying to ressurect an old account or backup, etc.
 


I keep a record of my passwords, too, but never delete/erase the old ones, as I’ve had to walk my way through the list on a few occasions trying to ressurect an old account or backup, etc.
For a few years now, I have let 1Password remember my password history. Of course, the Emergency sheet with Master Password is also in the Safe Deposit box, along with occasional exported data copies.
 


I agree entirely about user login passwords. I tell my elderly relatives to turn off auto login but make the password simple and memorable (and write it down somewhere). In this way they have to regularly use the password so if one actually has to access Keychain or install softwar, one can actually do it.
In addition to turning off auto login and in an effort to increase security for a simple and memorable password for the elderly, length is a crucial and usually easy option. For example:

Thisismypassword,andIwon'tEVERforgetit!1234

is 43 characters long, easy to remember, and has a few non-alpha characters. You could make it even longer. However, I couldn't find the maximum length Apple allows, despite several searches of Apple's support lists. Presumably it's at least 64 characters and perhaps as high as 256.

This format can easily be tailored to multiple accounts by, say, adding "Mac", "bank", "Facebook", or "email" between "my" and "password" in the string. Unique, easy to remember passwords for every account.

Unfortunately, there are a large number of organizations, including quite a few financial institutions (!), which limit password length to 16 or fewer characters. Please complain to their tech support if you are a customer.

Also, I suggest the user write all the passwords down in multiple locations and perhaps give a copy to a trusted friend or family member.
 


I keep a record of my passwords, too, but never delete/erase the old ones, as I’ve had to walk my way through the list on a few occasions trying to ressurect an old account or backup, etc.
Or, you have been asked to change your password, and it will not let you use one you have used previously.
 


In addition to turning off auto login and in an effort to increase security for a simple and memorable password for the elderly, length is a crucial and usually easy option. For example:
Thisismypassword,andIwon'tEVERforgetit!1234
Alas, password length has other drawbacks, first practical and then social.

Yes, a passphrase such as the example you gave is fairly easy to remember, but it's now more much difficult to type accurately (and impossible on an iPhone). There's also now more scope for mis-remembering parts of it.

The social consequence that follows is the user getting fed up with the whole exercise, using PASSWORD1234 instead, and then applying that to all their bank accounts.

I use a password assistant that generates random passwords in various formats, one of which I like particularly. This uses combinations of words, symbols and numerals in the character length of your choice. Here's a 12-character example: laws8#Caging. This format is easy to type and remember. Need more security? Make it longer, like this 16-character password: Sorry21,drainer.
 


I keep a record of my passwords, too, but never delete/erase the old ones, as I’ve had to walk my way through the list on a few occasions trying to ressurect an old account or backup, etc.
I once tried to update a website log-in with a new password and did so by first clearing the password field in the Password Wallet entry, having the application generate a new one, and saving the file.

The "new" password didn't "take", and I'd erased it from my password database.

Fortunately, I had backups of the password data file.

Thereafter, I follow these steps:
  1. Copy the "old" password field into the Notes area, with a comment it was replaced, and the replacement date.
  2. Save file
  3. Delete old password from password field.
  4. Generate new password
  5. Save file
  6. Use new password to replace old one on website.
  7. Close browser, return to website, verify new password works
  8. If it doesn't, try the old one that's "safely" stored in the Notes area.
An alternative I use when abandoning either a website or a device like an encrypted drive is to open the entry and change its "Title" field by preceding the existing title with an x. That sorts it to the bottom of its group. I also enter the "retirement" date in the notes field, and after a very safe interval, will delete the record. I also keep old versions of the password data file in a backup folder.
 


Ric Ford

MacInTouch
I'm trying to repurpose an iPhone from a family member. I have its passcode. Apple won't let me erase it, demanding the Apple ID/iCloud password. I then had the previous owner (who is not in my location) do this:
Apple said:
Turn off Find My iPhone Activation Lock

If the previous owner isn't with you
If the previous owner isn't present, contact them and ask them to follow these steps:
  1. Sign in to iCloud.com with their Apple ID.
  2. Go to Find My iPhone.
  3. Click All Devices at the top of the screen.
  4. Select the device that you want to remove from iCloud.
  5. If necessary, click Erase [device].
  6. Click Remove from Account.
After the previous owner removes the device from their account, turn off the device and then turn it back on to begin the setup process.
This simply didn't work. The iPhone continues to demand the previous owner's Apple ID (over and over and over ad infinitum), no matter what I try.

This just illustrates how, when someone buys an iPhone, Apple ultimately continues to control it, not the purchaser, who doesn't have the cryptographic codes that Apple holds internally and through which it exerts that control.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts