FileVault-enabled MacBook asking for old password after resetting via 'resetpassword' in recovery mode

codedil wrote:

FileVault was enabled and FindMyMac was not enabled.  

It appears that you have forgotten your FileVault password. This is much more serious than forgetting a user login password, for which there are various solutions.

Apple's documentation warns about this and offers two methods to protect against a user forgetting their FileVault password: Protect data on your Mac with FileVault - Apple Support

See especially the sections I put in BOLD below:

Protect data on your Mac with FileVault

If you have a Mac with Apple silicon or an Apple T2 Security Chip, your data is encrypted automatically. Turning on FileVault provides an extra layer of security by keeping someone from decrypting or getting access to your data without entering your login password. If you use a Mac that doesn’t have Apple silicon or the T2 chip, you need to turn on FileVault to encrypt your data.

To set up FileVault, you must be an administrator. When you turn on FileVault, you choose how you want to unlock your startup disk if you ever forget your password:

• • iCloud account and password: This choice is convenient if you use iCloud or plan to set it up—you don’t need to keep track of a separate recovery key.
  • Recovery key: The key is a string of letters and numbers that’s created for you—keep a copy of the key somewhere other than your encrypted startup disk. If you write the key down, be sure to exactly copy the letters and numbers shown. Then keep the key somewhere safe that you’ll remember—but not in the same physical location as your Mac, where it can be discovered. If your Mac is at a business or school, your institution can also set a recovery key to unlock it.
  • WARNING: Don’t forget your recovery key. If you turn on FileVault and then forget your login password and can’t reset it, and you also forget your recovery key, you won’t be able to log in, and your files and settings will be lost forever.

Apple is very serious about the above, when they say "lost forever" they do mean that, hence they provide two ways to prevent this from happening. I am surmising you did not set up either of those two options to mitigate a forgotten password. The third option of course is maintaining complete and redundant backups of all files (I think you indicated you do not have a backup either).

I will not lecture you here, but as an engineer I do know when to recognize that something is physically impossible. Decrypting a FileVault protected solid state drive is, I believe physically impossible, not just for the user or for Apple, but also for any number of government agencies that specialize in such things.

This is why I do not use FileVault for my personal Macs. I also have at least 4 backups stored in various different secure locations.

My employer requires FileVault on all its Macs. But these are also "managed" Macs and the employer maintains its own "key" for each and every one of its Macs because employees do these things like forget their FileVault passwords.

I think what everyone is trying to tell you here (including Apple itself) is that without one of those two "forgot FileVault password" options, there is actually no known way for anyone to mitigate this.

Usually when a disaster like this happens, the user does eventually recover some of their files through:

• cloud storage (do you have Photos in iCloud, Messages in iCloud ...)
• emails and text messages sent to others with attachments, e.g. photos, videos ... these can be recovered from those others
• other copies made to external media or other cloud services (Dropbox ...)
• files, photos, videos on your iPhone or other cell phone, or other devices (tablets, even Apple Watch ...)

I would encourage you to explore the above to see what can be recovered.

codedil wrote:

Until now I was little uncertain/skeptical that if it had asked me for it and had i enabled it. But now that there is confirmation, I am mostly certain that i wouldn't have enabled it explicitly. Now that makes me question again - what is this 'Activate Mac' screen that i am seeing/stuck with ? What's the guarantee that i will not be presented with this say if i choose to go ahead with the erase mac option ?

I doubt you can erase your Mac due to that "Activate Mac" screen. Are you not seeing that as you boot into Recovery Mode?

I think you will need to perform a DFU Firmware Restore which will reset the security enclave chip, system firmware, and internal SSD (destroying all data on the internal SSD) as well as pushing a clean copy of macOS onto the internal SSD (M-series Macs only......Intel Macs you will need to then reinstall macOS through Internet Recovery Mode). You can first try a DFU Firmware Revive which resets the security enclave chip and system firmware....it should leave the data on the internal SSD intact as long as the process completes successfully.

Unfortunately the DFU Firmware Restore requires access to another Mac currently running macOS 15.x Sequoia (once macOS 26 Tahoe is released, then a Mac running Tahoe will be required). The instructions must be followed exactly in order to put the "broken" Mac into DFU Mode.

If the DFU Firmware Restore fails to apply or does not fix the problem, then most likely there is a hardware issue with the Logic Board on your laptop.

Firstly, there is still no clarity why I have ended up here - is it because of the filevault ? is it because of something else ? ( to repeat what i did : all i did was to follow the 'resetpassword' instructions in recovery mode because i wasn't getting the reset options in login window )

There are multiple things that could cause an issue like this....no I'm not sure exactly what those things could be. If the OS has an issue....usually with the admin user account, or an issue with the security enclave chip, then you may encounter this issue. With the Intel Macs with the T2 security chip, I have seen multiple instances where it was impossible to authenticate to the T2 security enclave chip even though macOS itself was still able to boot normally.

You have to keep in mind that the security enclave chip is the heart of the 2018+ Macs. The security enclave chip has ties to all a lot of the hardware to make it extremely difficult for any nefarious people to access the data on your Mac. This does have the downside of making things more difficult for the regular user as well and it also makes it more likely that something will go wrong. If the security information within the security enclave becomes corrupt or damaged, then it can become impossible to authenticate. This is also complicated by requiring at least one macOS admin user account being active & accessible.

You think the "resetpassword" caused the problem. Perhaps the login issue which required you to reset the password is actually where the problem began, but you just didn't know it at the time thinking you had forgotten the password. If there was an actual issue with logging into your macOS user account during a normal boot, then that same issue may be why you are encountering the "Activate Mac" screen because something went wrong with the macOS admin user account and/or the security enclave chip.

FYI, it is nearly impossible to figure out what went wrong. Partly due to the enhanced privacy & security features of these 2018+ Macs, and partly due to macOS itself which does not lend itself to troubleshooting these types of issues.....plus Apple doesn't really provide enough low level details on the whole security enclave implementation & authentication.

You may want to consider keeping a second macOS admin user account on your system.

And make sure you always have frequent and regular backups since there is usually no way to recover data from the internal SSD of the recent Macs due to all of the hardware, software, and security changes even if a professional data recovery service is used.

I still feel this defenitely needs some digging or at least an explanation from Apple side. But i am just not able to find a way how to do that. No way to appraoch them. It's frustrating.

You will not get such an explanation. Apple does not like communicating with users, plus there really is no way to know what happened here. The best you will get are the contributors' best guesses about what may have occurred here.

The best you can do is leave product feedback here (hard to say if this is a hardware issue or a software issue....may be a bit of both):

Product Feedback - Apple

And contacting Apple corporate to let them know about your experience with this incident and your dissatisfaction:

Contact - How to Contact Us - Apple

codedil wrote:

i have tried the 'resetpassword' option through the terminal in recovery mode

FileVault was enabled and FindMyMac was not enabled.  

My compalin is, it let me reset it and after i restarted the mac it's asking for the old password.

[Re-Titled by Moderator]

Original Title: Macbook let me reset my password, but asking for the old password after restarting

The 'resetpassword' is for Admin password

The filevault password is different or can be differnt then admin password...

do you have FileVault Recovery Key?

verify FileVault status from Terminal.app copy and paste:

fdesetup status

verify if FileVault Recovery Key current

From the Terminal.app copy and paste;

sudo fdesetup validaterecovery

“Enter the current recovery key:” type or paste in the Recovery Key and press ENTER\Return key to continue

(note: your psswd will not echo on screen type it in anyway, use the enter\return key to proceed.)

if you forgot Admin password—

If you forgot your Mac login password

https://support.apple.com/en-us/HT202860

Reset your Mac login password - Apple Support

Mac User Guide - Apple Support

If you can't reset your Mac login password

https://support.apple.com/en-us/HT212190

a Firmware password is something again different...if you set one.

If you forgot your firmware password

If you can't remember your firmware password, schedule an in-person service appointment with an Apple Store or Apple Authorized Service Provider ( Find Locations )

Bring your Mac to the appointment, and bring your original receipt or invoice as proof of purchase.

codedil wrote:

Hi @Barney-15E, Thank you for the reply. Yes, it didn't accept the new password. and i don't i see anywhere an option to resetting the password again. Please guide me if there is any such possibility.

Resetting with ‘resetpassword’ won’t reset the FileVault password as that would render FileVault completely useless. The whole point of FileVault is to prevent anyone from getting the data without the password

This is also i think might be the core of the discussion we are trying to have here - when user is tyring the resetpassword flow in recovery mode because he/she lost or don't remember t hepassword - it didn't stop or even warn user that filevault was enabled.

How would that change anything? If you don’t know the FileVault password, there is no way to reset it without knowing other things such as a recovery key.

Did you not enable FileVault yourself? Again, that password request has nothing to do with FileVault.

However, all modern Macs are encrypted regardless of FileVault being enabled or not. It would be ludicrous to allow decrypting the drive by merely resetting the password without some authentication.

What would an user , who is totally unaware of FileVault, think would happen ? that he would be able to login with the newly reset password. But that did not happen, he is being asked or expected to enter the old password, which he obviously forgot and that's the reason he tried the 'resetpassword' flow in the first place. Thank you. Please let me know if you have any questions as well.

I have no idea why anyone would imagine you could simply and easily bypass the encryption by entering a command. However, it isn’t asking for a password to decrypt FileVault. It’s asking for a password in order to ensure you are the actual owner and didn’t just go in and use ‘resetpassword’ to bypass security.

There were several other ways to reset the password which all include a way to identify you as the owner. Since none of those were possible (I guess), you had to resort to using the one that doesn’t.

I am sure this will be reproduceble - if anyone have a spare mac and don't have any important data and okay to erase the data and reinstall - PLEASE PLEASE TRY -> With filevault enabled, with findmymac in Apple Account disabled -> Recovery Mode -> terminal -> 'resetpassword' flow. Thanks a ton.

Of course it will be repeatable for the reasons I stated. You don’t need FileVault enabled, either.

If you have an Apple Store nearby, make an appointment at the Genius Bar. Make sure you bring proof of ownership. I doubt they will be able to do anything about it, but you would get your opportunity to talk to Apple.

codedil wrote:

Hi @Barney-15E, let me try one last time :

Leave all your assumptions and try to understand it once again from the start.

Please do not sit on your point that user have failed to prepare for the disaster. That's already given and that's why he is here and trying to highlight that he wasn't even warned. He has followed the resetpassword steps as mentioned in the document as he wasn't getting the reset instructions in the login window. This is already highlighted couple of times in the previous replies. You can call it ignorance, but it's a fact that he wasn't aware of FileVault, he still doesn't understand it fully. Don't remember enabling it explicitly. He only learnt about it through support or reading about it later. And don't really know - why he is getting 'Activate Mac' if not for filevault (as you are saying). And unfortunately he didn't have FinedMyMac Enabled, which might have triggered this flow as per his understanding, which definitely can be questioned. It's not like he has broken the harddrive or burnt the MacBook and asking Apple for some solution. Some weird flow triggered because of different circumstances and trying to see if Apple really designed it this or if this is a flaw or miss.

Now with that, Can you answer me these two questions, in simple words as you can :

1. In the initial reply you told the current 'Activate Mac' screen I am stuck in is not related to Filevault. And you would try resetting the password again. How to do that ?

I would startup in Recovery and use Terminal to run resetpassword again, but I have no idea how you arrived at that screen. It looks like what happens when you set up a new Mac. That may be what it is doing since it cannot decrypt the drive. Resetting the password won’t change anything, though, for the reasons already outlined. You can change the password using that method over and over, but it will not release the decryption keys. That makes zero sense from a security standpoint. It is very likely you will need to erase it and start over. If it is an Apple Silicon Mac, there is this concept of an “owner” which has to be reset. That is what appears to be happening, but I don’t know if you have an Apple Silicon Mac.

2. Do you have any strong reason that Apple should not warn or stop user from using the ‘resetpassword' flow in terminal in Recovery Mode?

I don’t have any reason to think Apple should do that. It’s obviously a last resort option. You are not in this situation because you used resetpassword. You are in this situation because you forgot the password that would allow decryption. Whether you enabled FileVault or not is irrelevant because all modern Macs are always encrypted. Allowing anyone to startup in Recovery, use Terminal to reset the password, and then allow decryption is a security failure.

Why not add a step to verify the ownership there itself ?

How would that help you? You have no means to do so as it stands. How would you solve that problem? What scheme do you propose that would somehow provide the authentication not already implemented?

resetpassword is a very old utility that makes little sense in the current macOS security scheme.

Again, we can do nothing to affect Apple’s policy. You can submit feedback suggesting they dream up another way to authenticate the user.

They did have a method to reset a firmware password in the store, but doing something like that for the decryption keys opens them up to being forced to decrypt someone’s Mac. I certainly don’t want government to have that power.

It should serve the both purpose of stopping wrong people taking over and also the nudge or push actual owner to double check if he really wants to proceed with this flow ?

Again i request you leave your emotions and passing statements in your reply.

I understand that you are emotional about this, so that may be clouding your response. I’m just stating what is. You are converting that into emotions.

Leave all your assumptions about what user should have known and should have done.

That’s the heart of the matter. You want an option to recover after you failed to implement existing recovery options.

User is an individual, Apple is a system. What user did wrong or missed doing affects him, what apple did wrong or missed doing affects the System.

Why do you assume Apple did something wrong? To me, it sounds like they did everything correct. They created a security system which has several recovery options, but prevents recovery by someone who stole the device.

Because we are trying to highlight what apple could have done that prevented me, owner of the MacBook, ending up in this situation. Thank you.

Again, there is no one here that can answer that question. You are asking for a discussion on Apple’s design, policy, and future activities. We do not work for Apple. We have no control over what they do. However, Apple already provided the means for you to not end up in this situation.

codedil wrote:

Hi @Barney-15E ,

I am not sure what's your intentions here but you are definetly not helping. Please try to ignore if you don't / can't understand the issue that one is trying to highlight let alone the pain or the difficulty one had to go through. Thank you.

I understand it completely. You don’t. I’m not sure why. It has been explained over and over. Since “resetpassword” doesn’t have any authorization mechanism in place, resetting the password that way will not change the FireVault password nor will it unlock the keychain of that user. Both of those would be a security failure of epic proportions.

If you enabled FireVault without creating a recovery key or tying it to your Apple Account, there is no way to recover the password. Again, being able to recover a password implies the security of the host is weak if not insecure. A secure system should never record your password. It should create a hash and record that. You cannot derive the original information from a hash.

If you did not enable FileVault and you can manage to reset your password to one it recognizes, that will likely decrypt the drive. If you can no longer enter Recovery to try to reset the password again, there is nothing else to do. Your data is hopelessly locked away.

If your Mac is from prior to 2018, then the data is not encrypted unless you enable FileVault.

You want magic to happen. The magic you seek was a backup, or a Recovery key, or linking your FileVault password to your Apple Account. You failed to prepare for disaster in every way.

codedil wrote:

I see you don’t have any ideas on how Apple could have prevented you from getting here without reducing security. What is it you propose Apple do going forward ?

Exactly @Barney-15E , that is kind of what we have been trying to highlight. I have been proposing it should have warned/stopped user , it's in the best position know if user is entering a flow where there is no way out.

And what were you going to do when it told you there was no way to recover that data and you would have to erase and start over? That’s about the only warning they could give you. If that’s what you want tell Apple again we can do nothing about it.

There is no solution to losing your FileVault password without establishing the recovery procedures offered when it is enabled.

What you were asking for already exists, but you failed to do that. There is nothing that’s going to change your situation regardless of what warnings they provide to you.

But no matter what we propose the big dissapointment here is, seems Apple just not providing a way where someone from Apple can acknowledge the issue/proposal - it could be either accepted, rejected after they evaluate but the fact that it's so hard to reach the technical team or get a written reply from Apple team is dissapointing to say the least.

There is really no way to contact the “technical team“ at Apple. Occasionally, if you provide feedback to which they want more information, someone will contact you and ask more questions or get clarification, but that won’t be the technical team.

You may believe that Apple should work in a different way, but they seem to be making a lot of money doing it the way they do it right now. They have worked that way for over 40 years now.

Apple silicon M1 has Secure Enclave (analogous to the Apple T2 security chip), and storage is always encrypted.

You can control that encryption with your own password via FileVault, or can use the default setup.

Volume encryption with FileVault in macOS - Apple Support

Here? Erase it, and restore your backup: FileVault recovery options - Apple Support

No one, including Apple, has any ability to retrieve decrypt or otherwise recover FileVault encrypted data, despite concerted efforts and overt threats from various law enforcement agencies and governments around the world that would very much prefer otherwise.

FV encrypted data are utterly useless to anyone without its encryption password.

codedil wrote:

…But no matter what we propose the big dissapointment here is, seems Apple just not providing a way where someone from Apple can acknowledge the issue/proposal - it could be either accepted, rejected after they evaluate but the fact that it's so hard to reach the technical team or get a written reply from Apple team is dissapointing to say the least…

Here is how to set up FileVault, and setup-related options that can make data recovery available:

• Protect data on your Mac with FileVault - Apple Support
• FileVault recovery key - Apple Support
• Configure a FileVault setting in Apple Business Essentials - Apple Support

If operating without IT assistance or IT oversight, Mac users enabling FileVault are provided a recovery key. If that recovery key is not maintained, then data access can be lost if the associated login passwords are lost. Here is the Apple discussion of this, with a section on data loss highlighted:

Rather than creating a quite-probably-vulnerable backdoor, or attempting to create a functional key-escrow system and that with all the technical issues known to exist there, I’d suggest avoiding features such as FileVault and iCloud Advanced Data Protection. Backdoors and escrow systems are contrary to data security, and it’s far easier to just not enable the security rather than to undermine the technical implementation of the security. Or as happens when backdoors become known, everybody is vulnerable.

Here are some technical backdoor-related discussions from a cryptographer:

https://blog.cryptographyengineering.com/category/backdoors/

I have been asking these from official Apple Support , but they are just book readers or process followers not doing anything apart from suggesting that only option is to erase and proceed.

That's the way they are... little more than Support document readers and regurgitators. We can do that on our own. In rare cases, you can escalate a concern to a more engaged representative, but they're even more put upon.

By default, the FileVault encryption password is set to your login password, but there is no requirement for them to remain the same. Arguably, that adds a layer of defense, but it also adds a layer of inconvenience that you don't want.

Resetting a login password through the Recovery Terminal command "resetpassword" remains for older Macs and is less than ideal for the reasons you described. The "right" way to do it is to follow these more recent instructions: If you forgot your Mac login password - Apple Support

If they appear, "Use the reset options in the login window" will synchronize the FV password. The reason that document describes if you see this or if you see that is due to the many hardware differences and as many macOS versions it needs to incorporate.

Given your present circumstance I think what you need to do is turn off FileVault, thereby removing its encryption password, followed by turning it on again.

Turn off FileVault on Mac - Apple Support

Protect data on your Mac with FileVault - Apple Support

That assumes you have no Time Machine backup to restore, and you didn't indicate that possibility. If you have that TM backup, restoring it would be ideal.

Restore your Mac from a backup - Apple Support

Back up your files with Time Machine on Mac - Apple Support

Then, reset the password "the right way".

I am stuck on this 'Activate Mac' screen. Let me share a screenshot so that you will get an idea -

That’s not related to FileVault. It needs a password for an account on that Mac in order to continue.

If that doesn’t accept your new password, I would try resetting the password again. I have no idea how futile that will be.

Resetting with ‘resetpassword’ won’t reset the FileVault password as that would render FileVault completely useless. The whole point of FileVault is to prevent anyone from getting the data without the password.

As for (1) consider it done. Many of this site's participants have knowledge that exceeds that of any Apple Support representative. Decades worth.

To their credit, Apple knows it.

Apple isn't holding anything back. The Support documentation is all-inclusive. There is no benefit for them to omit anything that could help you out of your situation. They are motivated to make it unnecessary for you to call their AI-bots, and so they devote a lot of effort to address everything that can be addressed in their online support and documentation. If that fails they make this site available, and here you are. It's working.

2: I won't dissuade you from contacting Apple again and insisting. Their AI-powered assistants will be exceedingly patient kind and polite as they explain to you that which you already know.

What I'm not certain of is how much you will have to pay them to do that. Maybe nothing. It's your time though, so go ahead.

3: Apple doesn't have your data. They're not interested in it. Only you can decide on its value, and if it's important then they offer Time Machine. It's been included with macOS for decades, and it's free. All you need to do is use it.

codedil wrote:

I have no idea how you arrived at that screen

Good night @Barney-15E. The problem is you are trying to convey the same thing again and again which we already accepted - please read my third reply to John Galt [ who was mostly onpoint in understanding and addressing the issue and questions ]. If not for the 'resetpassword' flow that ended up here, user would still have access to using macbook, through guest user or other standard users for which he still remembers the password.

Anyway, as i have been trying to request you - please ignore. Thank you for spending your valuable time on this.

I see you don’t have any ideas on how Apple could have prevented you from getting here without reducing security. What is it you propose Apple do going forward?

I thought you wanted to get your data back. If you just want access to the computer, you just have to erase it and start over. But, you may need help from Apple to restore it. It may require a DFU reset. You can d that yourself if you have another Mac.