Update May, 2019
Now that there are SecureToken users, the command below no longer works to reset another user’s password. Thanks to mario on the MacAdmins Slack for testing.
Acknowledgements
Just a cleaned-up version of directions from Mac Script to change Administrator password
Changing a user password via terminal command
If you ever want to—perhaps for scripting purposes?—change a user’s password from the command-line (despite what it says in the link above, you don’t have to be logged in as the user to change the user’s password, but you do have to be logged in as an admin user), these are the commands you’d use:
sudo security set-keychain-password -o oldpassword -p newpassword /Users/username/Library/Keychains/login.keychain
Substitute in the actual user’s username for username, the actual user’s old password for oldpassword and the actual user’s new password for newpassword.
If you don’t know the old password…
If, for some reason, you (and the user both) have forgotten the user’s old password and don’t want to deal with keychains issues, you can also just delete the existing keychain (instead of running the second command to update the keychain password):
Security issues
One strong caveat is that the terminal, by default, will save commands to ~/.bash_history in plain text, so you’re essentially storing a user’s password in plain text, unless you temporarily disable bash history or later go into the ~/.bash_history file with a text editor (like nano) and delete the offending lines manually.
If you distribute this as part of a .pkg, nothing will be visible in a .bash_history file, but make sure you keep that .pkg extra secure or delete it after deploying it.
Leave a Reply