Passwords & Security

osxtips-x-256

If you forget your login password

If you can’t remember your login password, try the following:

If you forget your password while logging in, click the question mark in the password field to see a hint. If you don’t see a question mark, your user password doesn’t have a hint. For more information, see Add a password hint.

If you must enter an administrator’s name and password but don’t know them, ask the person who set up your Mac for help. If you set up the Mac, the user you created during setup is an administrator.

If you don’t have a password hint, or if you can’t remember your password after displaying the hint in the login window, you can reset your password. For more information, see Reset a login password.

Apple ID can be used to reset your user account password

Learn how Apple ID can be used to reset your user account password.

Use your Apple ID to shop the iTunes Store, log in to iChat or iCloud, make a reservation with a Genius, and access Apple.com support and more. In OS X you can even use your Apple ID to reset your user account password, in case you cannot recall what your OS X account password is.

What’s an Apple ID?

An Apple ID lets you personalize your Apple experience. You use your Apple ID to access Apple resources that require you to identify yourself. Learn more about your Apple ID.

How to allow your Apple ID to reset your OS X user password

When you start OS X or a new Mac with OS X Lion or later for the first time, you enter the OS X Setup Assistant where you will be asked to enter your Apple ID. After entering your Apple ID, select the “Allow my Apple ID to reset this user’s password” option during the “Create your Computer Account” stage.

If you didn’t enter your Apple ID during the OS X Setup Assistant or your Mac already has its user accounts, you can follow these steps:

  1. Open System Preferences, then click Users & Groups.
  2. To bind an Apple ID to your OS X user account, click the Apple ID: “Set…” button and enter a Apple ID name and password, or click the “Create Apple ID…” to create a new Apple ID using Safari.
  3. Select the “Allow user to reset password using Apple ID” check box.

Note: FileVault 2-enabled Macs will not show a “Allow user to reset password using Apple ID”. Learn more about FileVault 2, including how to reset its password.

To reset your OS X user password with your Apple ID

If you incorrectly enter your account password at the login window three times, a message appears stating “If you forgot your password, you can reset it using your Apple ID”.  Click the arrow-in-a-circle icon to bring up the “Reset Password” dialog. Enter your Apple ID and password, then click “Reset Password” to proceed.

Note: In some cases, you may not be presented with the opportunity to reset the password after three incorrect attempts. If this happens, open Users & Groups preferences, remove the affected Apple ID, and then add the same Apple ID back. This issue could occur after upgrading from Mac OS X v10.6 to OS X Lion.

Note: Changing the user account password will create a new keychain. The previous keychain still exists and can be accessed if you later remember the previous password.

Click “OK” in the dialog that appears to inform you about the new keychain.

Enter a New password, Verify password and Password hint fields, then click “Reset Password” to proceed.

Click “Continue Log In” to finish logging in using the new password you just created.

Understand passwords

OS X is designed to give you a safe and secure computing environment. The security of your Mac depends a great deal on using secure passwords in key areas.

Login password

A login password, also called a user password, allows the user to log in and access the information on the Mac. Privileges are limited by the type of user. An administrator user is required to perform many important tasks, such as setting certain system preferences, installing software, and administering standard users. For more information, see Set up users on your Mac.

Passwords in iCloud Keychain

Keeping track of passwords is hard, especially if you never use the same password twice and have multiple devices. iCloud Keychain keeps website and Wi-Fi passwords up to date across your Mac and iOS devices. It also keeps account passwords and settings that you add to Internet Accounts preferences up to date on your Mac.

When you need to create a new password for a website, Safari suggests a unique, hard-to-guess password and saves it in your iCloud Keychain. Safari fills it in automatically the next time you need to sign in, so you don’t have to remember it or enter it on any of your devices. For more information, see Set up iCloud Keychain.

Passwords for websites or Internet apps

If you need help with a password for a website, see the website’s help, or the account information on the website.

If you need help with a password for an app that connects to an account on the Internet or a network, see the documentation that came with the app, or online information that supports the app. For example, if you have a mail account with a service provider or website, see the documentation on the website or contact the provider. For more information, see the Apple Support article If Mail on your Mac keeps asking for your password.

Passwords in Keychain Access

Keychain Access stores passwords for various apps and services, and saves you the effort of authenticating separately for each of the items in your keychain. The keychain is secured by a keychain password, which is unlocked when a user logs in. For more information, see About your keychain password.

Apple ID

A user’s Apple ID can be used to reset the login password if the password is forgotten. For more information, see the My Apple ID website.

Recovery key

When you encrypt the information on your Mac using FileVault, a recovery key is created as a safeguard. If you forget your login password, you can use the recovery key to unlock the encoded contents of your Mac. The recovery key should not be physically stored with the Mac where it can be discovered. You can also have Apple store your recovery key. For more information, see Reset a login password.

Resetting your keychain in Mac OS X

If Keychain First Aid finds an issue that it can’t repair, or if you don’t know your keychain password, you might need to reset your keychain.

Resetting a keychain sets aside the original default keychain file and creates a new one.
To reset your keychain in Mac OS X:

  1. Open Keychain Access, which is in the Utilities folder within the Applications folder.
  2. From the Keychain Access menu, choose Preferences.
  3. Click General, then click Reset My Default Keychain.
  4. Authenticate with your account login password.
  5. Quit Keychain Access.
  6. Restart your computer.

To reset your keychain in Mac OS X 10.3 through 10.3.9:

  1. Open Keychain Access, which is in the Utilities folder within the Applications folder.
  2. From the Window menu, choose Keychain First Aid.
  3. Click Options…
  4. Click Reset My Keychain, which is under the General pane.
  5. Authenticate with your account login password.
  6. Quit Keychain Access.
  7. Restart your computer.

About Gatekeeper

Gatekeeper helps protect your Mac from apps that could adversely affect it.

Some apps downloaded and installed from the Internet could adversely affect your Mac. Gatekeeper helps protect your Mac from such apps. Read this article to learn about Gatekeeper and its options.Gatekeeper is a new feature in Mountain Lion and OS X Lion v10.7.5 that builds on OS X’s existing malware checks to help protect your Mac from malware and misbehaving apps downloaded from the Internet.The safest and most reliable place to download and install apps is via the Mac App Store. Apple reviews each app before it’s accepted by the store, and if there’s ever a problem with an app, Apple can quickly remove it from the store.For apps that are downloaded from places other than the Mac App Store, developers can get a unique Developer ID from Apple and use it to digitally sign their apps. The Developer ID allows Gatekeeper to block apps created by malware developers and verify that apps haven’t been tampered with since they were signed. If an app was developed by an unknown developer—one with no Developer ID—or tampered with, Gatekeeper can block the app from being installed.Note: If you have an app that has not been signed with a Developer ID  to support Gatekeeper, contact the developer of the app to determine if they offer an update which supports Gatekeeper.

Click here for more details

Malware detection (not Gatekeeper) uses what is known as a “deny list” technique to prevent known malware from running on your Mac. Unique attributes of identified malware are added to this list. If you attempt to open an app on the deny list, you will see a message informing you about it.

Note: If an app with a revoked Gatekeeper certificate is already installed, it will continue to run.

Important: Developer ID signature applies to apps downloaded from the Internet. Apps from other sources, such as file servers, external drives, or optical discs are exempt, unless the apps were originally downloaded from the Internet.

Gatekeeper options

Gatekeeper gives you more control over what you install. You can choose the safest option and only allow apps that come from the Mac App Store to open. There is also the option of only allowing apps that come from the Mac App Store and identified developers. Or you can choose to allow any apps to open, just like previous versions of OS X.

Gatekeeper options are found in Apple menu > System Preferences… > Security & Privacy > General tabunder the header “Allow applications downloaded from:”

Note: The default setting for Gatekeeper in OS X Lion v10.7.5 is “Anywhere”.

Gatekeeper options are:

  • Mac App Store – Only apps that came from the Mac App Store can open.
  • Mac App Store and identified developers (default in OS X Mountain Lion) – Only allow apps that came from the Mac App Store and developers using Gatekeeper can open.
  • Anywhere – Allow applications to run regardless of their source on the Internet (default in OS X Lion v10.7.5); Gatekeeper is effectively turned off. Note: Developer ID-signed apps that have been inappropriately altered will not open, even with this option selected.

How to open an app from a unidentified developer and exempt it from Gatekeeper

If you are confident the app downloaded from the Internet is the latest version and is from a source you trust, you can open an app from an unidentified developer by following these steps.

Important: Some Apple screened apps from developers that are in the process of acquiring Developer ID signatures will present the “Open” option when they are double-clicked.

Note: In most cases, you will only have to perform these steps once for all user accounts on the Mac:

  1. In Finder, Control-click or right click the icon of the app.
  2. Select Open from the top of contextual menu that appears.
  3. Click Open in the dialog box. If prompted, enter an administrator name and password.

Note: If there is an app that presents multiple Gatekeeper dialog boxes, you can temporarily use Gatekeeper’s “Always” option. Make sure to restore the Gatekeeper option that was there before to bring back Gatekeeper function.

Gatekeeper messages

  • Gatekeeper options set to “Mac App Store”
    • App name” can’t be opened because it was not downloaded from the Mac App Store
      • Your security preferences allow installation of only apps from the Mac App Store.
      • Safari downloaded this file Date from URL.

  • Gatekeeper options set to “Mac App Store and identified developers”
    • App name” can’t be opened because it is from an unidentified developer
      • Your security preferences allow installation of only apps from the Mac App Store and Identified developers.
      • Safari downloaded this file Date from URL.

  • “Damaged” app. – The app has been altered by something other than the developer. This message will appear no matter the Gatekeeper option chosen.
    • App name” is damaged and can’t be opened. You should move it to the Trash.
      • Safari downloaded this file on Date & Time from URL.

  • Control clicking app icon then selecting “Open” – Used to exempt Developer ID signature protection from a unidentified developer.
    • App name” is from an unidentified developer. Are you sure you want to open it?
      • Opening “App name” will always allow it to run on this Mac.
      • Safari downloaded this file Date from URL.

System administrators

Manage Gatekeeper policy

Gatekeeper uses rule based policies that can be modified for education and enterprise environments.

Use Profile Manager to customize Gatekeeper policies.

See man spctl for Terminal command methods to customize and inspect Gatekeeper policies. This will give you direct access to the System Policy Assessor.

See man codesign to examine code signatures.

About the “Are you sure you want to open it?” alert (File Quarantine / Known Malware Detection) in OS X

OS X improves download validation by providing file quarantine in applications that download files from the Internet. This means that downloads are checked for safety (known malware) when you try to open them.

File Quarantine

File quarantine-aware applications that download files from the Internet, or receive files from external sources (such as email attachments), attach quarantine attributes.

  • Quarantine-aware applications include Safari, Messages, iChat and Mail.
  • These attributes include date, time, and a record of where the file was downloaded from.

When you open a file received through a quarantine-aware application, OS X warns you where the file came from. You receive an alert asking, “Are you sure you want to open it?” You should click Cancel if you have any doubts about its safety.

If you have multiple user accounts on your Mac, the user account that downloaded the file is the only user account that can remove the quarantine attribute on a file. All other user accounts can open a quarantined file, but they are still presented with an alert asking “Are you sure you want to open it?” every time they open the file.

Known malware check

Mac OS X Snow Leopard v10.6 and later also check for known instances of “malware“, or malicious software. When you open a quarantined file, OS X checks to see if it includes known malware. If so, an alert message similar to the following appears:

If you see “(file name) will damage your computer.” You should click Move to Trash.

If the file is a disk image, you should click Eject Disk Image and then delete the source file.

Tip: Click the Help icon in the lower left corner of the alert message for more information about malware.

Blocking web plug-ins

To help limit exposure to potential “zero day” exploits from web plug-in enabled content, OS X also blocks specific versions of web plug-ins from functioning – including Java web apps, or Adobe Flash content. Typically an update to the web plug-in is available on the same day, or shortly after OS X blocks the web plug-in. Install the new update to restore web plug-in function.

Gatekeeper

OS X Lion v10.7.5 and later include Gatekeeper, a technology that allows developers to sign applications. Signed applications normally don’t present an alert when you download and open them. Internet files downloaded from other applications get file quarantine attributes but without date, time, and link of the file downloaded.

Advanced users only

You can toggle the ability of File Quarantine to receive updates from Apple about malware and web plug-ins.

Important: Deselecting this option disables the ability to identify new malware, and leaves your Mac vulnerable to new malware without notification.

OS X Mavericks and later

  1. Choose Apple () menu > System Preferences.
  2. Click the App Store icon in the System Preferences window.
  3. Select or deselect the option to “Install system data files and security updates.”

OS X Mountain Lion or earlier

  1. Choose Apple () menu > System Preferences
  2. Click the Security & Privacy icon in the System Preferences window.
  3. If the padlock in the lower left corner of the Security & Privacy pane is locked, click it and enter an administrator name and password.
  4. Click the Advanced button.
  5. Select or deselect the “Automatically update safe downloads list” setting to toggle File Quarantine updates.

What is malware?

If a warning message tells you that something you have downloaded from the Internet is “malware,” you should exercise caution. The safest action is to put the item in the Trash, and then empty the Trash.

Malware is an abbreviated term for malicious software. Malware includes viruses, worms, trojan horses, and other types of software that can damage your system or violate your privacy. Malware can be installed on your computer when you download content or app from the Internet, either from email or websites.

Certain instances of malware are merely harmless or annoying. More often, its intent is to take control of your computer to collect personal information, host illegal content, send spam email, or cause harm to other systems on the network. Personal information that’s collected often includes credit card, banking accounts, social security numbers, or other identifying information leading to identity theft and financial loss.

Avoid opening items downloaded from websites and email messages unless you are certain that they come from a legitimate, trusted source. If you are uncertain about the source of a downloaded item, it is best to delete the item. You can always download it again later, after you have made certain that the item is not malware.

This article provides information on safe download malware protection:

Apple Support article: About safe download malware protection

How to get software updates for your Mac

Update OS X and apps that you got through the Mac App Store or from Apple.

Use the Mac App Store

  1. Open the App Store app on your Mac.
  2. Click Updates in the toolbar.
  3. Update each app individually, or click Update All to install all available updates.
    Updates pane of Mac App Store

To find software upgrades instead of updates, use Search in the upper-right corner of the window. An upgrade is a major new version of the software. For example, OS X El Capitan is an upgrade from OS X Yosemite or earlier.

Or use Software Update

The Mac App Store is included with OS X Snow Leopard v10.6.6 and later. If you don’t have the Mac App Store, choose Software Update from the Apple menu, then follow the onscreen instructions. Some software updates are also available from the Apple Support Downloads site.

Learn more