Hoping for some help with this one.
I have a MacBook with a password protected user account, the OS is 10.9.1 - Mavericks and I'd like to be able to either reset the password or make an attempt to break it.
I am aware that the latter will not be easy as it is probably a salted SHA hash. What's more the method I have used in the past to locate the hash appears to have disappeared in this version of OSX.
I still have the user's .plist file in \private\var\db\dslocal\nodes\Default\users
but I can't find the corresponding file and .state file under \private\var\db\shadow\hash.
I've looked for any file with the UID string in its name but there are none, only a folder. This contains a number of .playlist files none of which appear to contain the hash.
Something has obviously changed, can anyone out there assist in either bypassing the logon password or identifying where the hash is now kept?
I've done some Googling on the subject but haven't turned up anything of use.
Many thanks
john
This may not be the best method but you can usually reset passwords for users.
http//
I've used this a couple of times when people forget there admin passwords!
May want to look at the effects this has forensically thou. I believe if you document it, it will probably be okay.
Joel
Thanks Joel!!
john
I used Joel's suggestion to reset the password to something known. Having done so I've hashed the drive and did a before and after compare. Only 4 files changed including the user's plist file. This recorded the time and date of the password change as well as a few other differences in hex values.
Sadly, i'm not able to determine which is the before and after hash. cry
Thanks for posting your findings
Joel