Resetting the MacOS X 10.4 (Tiger) Admin Password (without disk!)

Resetting the MacOS X Tiger administrator password can be done by booting with the Installation Disk, and selecting the appropriate menu option. This is the most commonly referred to option, with a lot of high-quality instructions available via Google.

The problem is what to do when you have no disk – or it is too inconvenient to get it. In my case, the PowerPC Mac Mini that runs MacOS X Tiger has a bad DVD drive.

In most cases, resetting a password just requires physical access to the machine and a reboot. (This is why nearly all security professionals say, If you’ve physical access to the box, it’s over.)

With Tiger, you can indeed do this. (In fact, Leopard and Snow Leopard can too – it’s just more complicated.)

Start your MacOS X 10.4 system, and at the gray screen hit (and hold) Cmd-S to enter single user mode. The screen should go black, and white writing commences – kernel messages. You should eventually get a root prompt:


At this prompt, type in these three commands (terminated with a return, of course):

sh /etc/rc
passwd admin

(Replace admin with your administrator user’s short username.) When I did this, I found that if you waited too long after doing the command sh /etc/rc, then the system would take away your prompt. So don’t lag!

This article (from 2009) over at MacYourself is one of the most complete descriptions I’ve seen; this 2007 article at MacOSX Tips is nearly as complete and adds some more thoughts too.

These articles saved me; I hope they can be of some use to you too.

Restoring Data for GNOME Evolution

Evolution is the personal information manager (PIM) for GNOME desktops, and includes Palm integration, todos, memos, contacts, email, and calendar.

Recently, I migrated from one desktop to another, and moved my data from my home directory over. Most applications were perfectly happy to find their data from their hidden directories preconfigured for them (VirtualBox was one of these).

Evolution refused to recognize the data as it was copied, and started by asking for all of the relevant information to set up a new mail account. To copy the data, it is necessary to first backup all information using Evolution’s backup process (from the File menu). This backup file can then be transfered to the new machine and restored. However, passwords are not restored as a part of this process; passwords are not included in the backup.

The passwords can just be re-entered again if necessary. If you’ve forgotten them (as I did) you can pull them from the GNOME keyring using the Seahorse application found in every GNOME installation. You can run seahorse from the command line or run it from the menu (inUbuntu Karmic Koala: Applications > Accessories > Passwords and Encryption Keys).

Patrick Ahlbrecht over at has an excellent article about recovering the passwords from Evolution. Older versions of Evolution stored the passwords using base64 encoding in a plain text file (i.e., not encrypted at all).

Next time one saves passwords in an application, think about that base64 encoded password file…

Getting Passwords from Random Data (portably!)

Over at Mark Kolich’s blog, he wrote several months ago about using a source of randomness (/dev/urandom) to generate passwords. The idea is simple enough: take the random data, strip out only the printable characters, and then print the desired length of characters for a password.

Shortly thereafter, he described how to use a simple shell script to generate many passwords – such as for setting up many different accounts.

Working with HP-UX and OpenVMS as I do, I immediately thought: how could I do this in Perl, making the idea portable and making a program that will work on both UNIX and OpenVMS? It was easy – and easy to make it flexible as well. Here is the program that I came up with:


# code released by David Douthitt into the public domain

use Getopt::Long;

GetOptions( 'l=i' => \$opt_l,
            'p=s' => \$opt_p,
            'm=i' => \$opt_m );

$pat{"ext"} = "[[:alnum:][:punct:]]";
$pat{"alnum"} = "[[:alnum:]]";
$pat{"alpha"} = "[[:alpha:]]";
$pat{"simple"} = "[a-km-z2-9]";
$pat{"normal"} = "[a-km-z2-9A-HJ-NPR-Z]";

if (defined($opt_p)) {
   if (defined($pat{$opt_p})) {
      $pat = $pat{$opt_p};
   } else {
      print "undefined pattern!\n";
} else {
   $pat = $pat{"normal"};

$max = (defined($opt_m) ? $opt_m : 1000);
$len = (defined($opt_l) ? $opt_l : 6);

$x = $len;

for $i (0..$max) {
   $c = chr(int(rand(255)));
   if ($c =~ /$pat/o) {
      $s .= $c;
      if (--$x == 0) {
         print "$s\n";
         $x = $len;
         $s = "";

Note that since OpenVMS does not use the “#!” notation, that this line will be ignored as a comment and the program needs to be invoked via direct invocation of perl itself.

As an aside, Mark says how he prefers random passwords. Me, I prefer “pronouncable” passwords – still random, but using phoenemes which makes the generation process just that more complicated – and complicates internationalization. Apple’s MacOS X comes with a password generator that can generate random and pronouncable passwords.

However, with the proper password storage system a fully randomized password is good – or is it? A completely random password of eight characters could be zzzzzzzz as much as anything else. Perhaps a password with a random distribution of characters (rather than a random selection of characters) would be better. I’m not aware of any password generators that guarantee a random distribution instead of a random collection.

Powered by ScribeFire.

The real benefit of a password vault: security!

Using a password vault or a password safe can provide some ease and can simplify our lives nicely. However, what is the point of saving all these passwords when we can just type it in – or use Firefox or Opera to do it for us?

Let’s look at several and consider what they offer – and the hidden surprise that makes them most valuable. There are several that are worth considering depending on your environment – Apple’s Keychain, GNOME’s Keyring, KDE’s Kwallet, KeePass and KeePassX, and Passpack. The first three belong to that set of tools that provide for password vaults that are unlocked when you log into your computer. As long as you are logged in – and perhaps only until the screen saver kicks in or you log out – these tools will be active and your passwords automatically available.

KeePassX is part of a small set of tools that provide this capability, though in a cross-platform way.

Lastly, PassPack is an online password vault which is easy to use and provides for exports to other systems like KeePassX and its ilk.

What is it that provides a surprisingly high level of security with the use of these vaults? Simply this:

You can generate random passwords of arbitrary length that you need not even try to remember.

This is very powerful. Passwords no longer need to be memorized: so why try? The passwords can be generated by the associated password generator, and then copied or otherwise placed into the password field of whatever process is requesting authorization.

There is no pattern which makes it easier to crack – no combinations of words, numbers, etc – just pure randomness (or as close as one can get on a non-random entity like a computer).

Once you have a tool like a password manger in place, you can use a different password – a random password – for every site and every location that a password is needed.

Coming up with Strong Passwords

Passwords are the first line of defense into almost every computer and every server. Some do use One-time Passwords, Keycards, or biometric sensors – but they are the unusual ones.

Let’s go back to basics, and figure what our requirements are. If we wax a bit, and dream up the ultimate set of requirements for strong passwords, it might look something like this:

The passwords must be easy to remember. If you can’t remember it, you may be caught short and not be able to log in. If you have to write it down, someone could see it or snatch the sticky note. Also, if a user has to write their password down, they are likely to write it down where all the world can see it.

The password must have a random character distribution. This is different than being random you might note. A fully random password means that a password of all ‘A’s is equally possible to any other; what we really want is a random distribution of letters within the password (I hope I said that right!). In that case, all ‘A’s would be impossible as the distribution is all on the letter A. The ideal would be random letter distribution, but an English (or native language) letter distribution would probably be suitable.

Writing down the password must not give it away. This is one I’ve not seen anywhere, but it would be nice.

A new password must be easy to generate. Ever have to come up with a suitable password? Of course… but how long does it take to come up with one that is both secure and easy to remember?

So how do we come up with passwords and adhere to our given requirements?

My thoughts are: use a phrase you can remember (easy to remember) and then write it down in a series of boxes – that is, in a 6×6 grid for example.  With such a grid, you could then write in a sentence (left to right), then read the letters in a different order (perhaps top to bottom, over one, bottom to top, over one, top to bottom …).  In essence, you are memorizing a simple and easy password and a pattern – then typing in the resulting text.  Left over characters could be Xs or Zs or numbers or special characters.

I can’t speak to the strength of this method, but I suspect it is pretty strong.  You could even “clip” the password at a certain number of characters while using a large phrase – which would make it stronger perhaps, since the entire phrase would not be used.

If this interested you, you may also be interested in Diceware: a method of using dice to select words (for a passphrase) in a wordlist.  There are some interesting ideas on how to make the passphrase stronger, and so on.  However, my idea requires no additional materials at all and results in a seemingly random set of characters for a password.