FileVault-enabled MacBook asking for old password after resetting via 'resetpassword' in recovery mode

codedil wrote:

Hi @Barney-15E, Thank you for the reply. Yes, it didn't accept the new password. and i don't i see anywhere an option to resetting the password again. Please guide me if there is any such possibility.

Resetting with ‘resetpassword’ won’t reset the FileVault password as that would render FileVault completely useless. The whole point of FileVault is to prevent anyone from getting the data without the password

This is also i think might be the core of the discussion we are trying to have here - when user is tyring the resetpassword flow in recovery mode because he/she lost or don't remember t hepassword - it didn't stop or even warn user that filevault was enabled.

How would that change anything? If you don’t know the FileVault password, there is no way to reset it without knowing other things such as a recovery key.

Did you not enable FileVault yourself? Again, that password request has nothing to do with FileVault.

However, all modern Macs are encrypted regardless of FileVault being enabled or not. It would be ludicrous to allow decrypting the drive by merely resetting the password without some authentication.

What would an user , who is totally unaware of FileVault, think would happen ? that he would be able to login with the newly reset password. But that did not happen, he is being asked or expected to enter the old password, which he obviously forgot and that's the reason he tried the 'resetpassword' flow in the first place. Thank you. Please let me know if you have any questions as well.

I have no idea why anyone would imagine you could simply and easily bypass the encryption by entering a command. However, it isn’t asking for a password to decrypt FileVault. It’s asking for a password in order to ensure you are the actual owner and didn’t just go in and use ‘resetpassword’ to bypass security.

There were several other ways to reset the password which all include a way to identify you as the owner. Since none of those were possible (I guess), you had to resort to using the one that doesn’t.

I am sure this will be reproduceble - if anyone have a spare mac and don't have any important data and okay to erase the data and reinstall - PLEASE PLEASE TRY -> With filevault enabled, with findmymac in Apple Account disabled -> Recovery Mode -> terminal -> 'resetpassword' flow. Thanks a ton.

Of course it will be repeatable for the reasons I stated. You don’t need FileVault enabled, either.

If you have an Apple Store nearby, make an appointment at the Genius Bar. Make sure you bring proof of ownership. I doubt they will be able to do anything about it, but you would get your opportunity to talk to Apple.

That's the complain here.

If you’re here to complain, please set up a Faceplant page.

Please read my other replies, especially my expectation,

None of that matters. We can’t do anything about it. We don’t work for Apple and we have no influence with them. We can only offer what we know and we have done that. If there was some surreptitious method or getting around the encryption, it would not be functionally useful.

Everything you should have done to avoid this problem you failed to do.

codedil wrote:

Hi @Barney-15E, me, owner myself was tryig to reset because i forgot the password, and stuck in a place a where there seems to be no way out. I can prove my ownership but there just seems to be no way out from here and user wasn't even warened about it and he just followed the 'resetpassword' instructions because he wasn't getting the reset options in login window. That's the complain here. Please read my other replies, especially my expectation, and let me know if you have any other suggestions. I have tried all the officilal sources or channels , indlcuding visiting offline support store here in Bengaluru, India. Thank you

Screenshot from my above reply :

https://discussions.apple.com/content/attachment/065cdef2-e6de-4e3a-9236-3567aa1e574a

I just checked with Apple Support, there is no Genuis Bar in Bengaluru India but he assured other service provider offer same service and i have already tried taking their help. Thank you.

[Edited by Moderator]

codedil wrote:

Hi @Barney-15E, let me try one last time :

Leave all your assumptions and try to understand it once again from the start.

Please do not sit on your point that user have failed to prepare for the disaster. That's already given and that's why he is here and trying to highlight that he wasn't even warned. He has followed the resetpassword steps as mentioned in the document as he wasn't getting the reset instructions in the login window. This is already highlighted couple of times in the previous replies. You can call it ignorance, but it's a fact that he wasn't aware of FileVault, he still doesn't understand it fully. Don't remember enabling it explicitly. He only learnt about it through support or reading about it later. And don't really know - why he is getting 'Activate Mac' if not for filevault (as you are saying). And unfortunately he didn't have FinedMyMac Enabled, which might have triggered this flow as per his understanding, which definitely can be questioned. It's not like he has broken the harddrive or burnt the MacBook and asking Apple for some solution. Some weird flow triggered because of different circumstances and trying to see if Apple really designed it this or if this is a flaw or miss.

Now with that, Can you answer me these two questions, in simple words as you can :

1. In the initial reply you told the current 'Activate Mac' screen I am stuck in is not related to Filevault. And you would try resetting the password again. How to do that ?

I would startup in Recovery and use Terminal to run resetpassword again, but I have no idea how you arrived at that screen. It looks like what happens when you set up a new Mac. That may be what it is doing since it cannot decrypt the drive. Resetting the password won’t change anything, though, for the reasons already outlined. You can change the password using that method over and over, but it will not release the decryption keys. That makes zero sense from a security standpoint. It is very likely you will need to erase it and start over. If it is an Apple Silicon Mac, there is this concept of an “owner” which has to be reset. That is what appears to be happening, but I don’t know if you have an Apple Silicon Mac.

2. Do you have any strong reason that Apple should not warn or stop user from using the ‘resetpassword' flow in terminal in Recovery Mode?

I don’t have any reason to think Apple should do that. It’s obviously a last resort option. You are not in this situation because you used resetpassword. You are in this situation because you forgot the password that would allow decryption. Whether you enabled FileVault or not is irrelevant because all modern Macs are always encrypted. Allowing anyone to startup in Recovery, use Terminal to reset the password, and then allow decryption is a security failure.

Why not add a step to verify the ownership there itself ?

How would that help you? You have no means to do so as it stands. How would you solve that problem? What scheme do you propose that would somehow provide the authentication not already implemented?

resetpassword is a very old utility that makes little sense in the current macOS security scheme.

Again, we can do nothing to affect Apple’s policy. You can submit feedback suggesting they dream up another way to authenticate the user.

They did have a method to reset a firmware password in the store, but doing something like that for the decryption keys opens them up to being forced to decrypt someone’s Mac. I certainly don’t want government to have that power.

It should serve the both purpose of stopping wrong people taking over and also the nudge or push actual owner to double check if he really wants to proceed with this flow ?

Again i request you leave your emotions and passing statements in your reply.

I understand that you are emotional about this, so that may be clouding your response. I’m just stating what is. You are converting that into emotions.

Leave all your assumptions about what user should have known and should have done.

That’s the heart of the matter. You want an option to recover after you failed to implement existing recovery options.

User is an individual, Apple is a system. What user did wrong or missed doing affects him, what apple did wrong or missed doing affects the System.

Why do you assume Apple did something wrong? To me, it sounds like they did everything correct. They created a security system which has several recovery options, but prevents recovery by someone who stole the device.

Because we are trying to highlight what apple could have done that prevented me, owner of the MacBook, ending up in this situation. Thank you.

Again, there is no one here that can answer that question. You are asking for a discussion on Apple’s design, policy, and future activities. We do not work for Apple. We have no control over what they do. However, Apple already provided the means for you to not end up in this situation.

codedil wrote:

I have no idea how you arrived at that screen

Good night @Barney-15E. The problem is you are trying to convey the same thing again and again which we already accepted - please read my third reply to John Galt [ who was mostly onpoint in understanding and addressing the issue and questions ]. If not for the 'resetpassword' flow that ended up here, user would still have access to using macbook, through guest user or other standard users for which he still remembers the password.

Anyway, as i have been trying to request you - please ignore. Thank you for spending your valuable time on this.

I see you don’t have any ideas on how Apple could have prevented you from getting here without reducing security. What is it you propose Apple do going forward?

I thought you wanted to get your data back. If you just want access to the computer, you just have to erase it and start over. But, you may need help from Apple to restore it. It may require a DFU reset. You can d that yourself if you have another Mac.

The genesis of the original issue was when the user clicked on Use FileVault or Not use FileVault during the initial Setup Assist process

There is a Panel, later in the Setup Asset process, where the Useris Alerted to the existence of FileVault and given the choice

Choices have consequences and consequences and repercustions

Just trying to be helpful here, and this question may be off base because I can't tell what sequence of steps you took in the past to secure your Mac and what has since gone wrong ...

Have you tried the things listed here:

How to remove Activation Lock - Apple Support

The screen you posted looks like an Activation Lock, not FileVault, is locking up your Mac. (But I might be wrong as I have never encountered such screens myself ... But if this is indeed an Activation Lock, then some of the discussion here pertaining to FileVault might not apply, but it's hard to tell without knowing exactly how you secured this Mac, which might have been a long time ago in the past and memories do fade ...)

Note also this option: start an Activation Lock support request.

Even if there is not an Apple Store in your area, there may be an Apple Authorized Service Provider and some of them are very knowledgable and may be able to help if you take the computer there in person. It would not hurt to try because as things stand now, you can't access anything on that laptop.

codedil wrote:

…But no matter what we propose the big dissapointment here is, seems Apple just not providing a way where someone from Apple can acknowledge the issue/proposal - it could be either accepted, rejected after they evaluate but the fact that it's so hard to reach the technical team or get a written reply from Apple team is dissapointing to say the least…

Here is how to set up FileVault, and setup-related options that can make data recovery available:

• Protect data on your Mac with FileVault - Apple Support
• FileVault recovery key - Apple Support
• Configure a FileVault setting in Apple Business Essentials - Apple Support

If operating without IT assistance or IT oversight, Mac users enabling FileVault are provided a recovery key. If that recovery key is not maintained, then data access can be lost if the associated login passwords are lost. Here is the Apple discussion of this, with a section on data loss highlighted:

Rather than creating a quite-probably-vulnerable backdoor, or attempting to create a functional key-escrow system and that with all the technical issues known to exist there, I’d suggest avoiding features such as FileVault and iCloud Advanced Data Protection. Backdoors and escrow systems are contrary to data security, and it’s far easier to just not enable the security rather than to undermine the technical implementation of the security. Or as happens when backdoors become known, everybody is vulnerable.

Here are some technical backdoor-related discussions from a cryptographer:

https://blog.cryptographyengineering.com/category/backdoors/

Here’s what I posted earlier. Have you explored the Activation Lock possibility:

Have you tried the things listed here:

How to remove Activation Lock - Apple Support

The screen you posted looks like an Activation Lock, not FileVault, is locking up your Mac.

Note also this option: start an Activation Lock support request.