HN

Need help?
<- Back
Recover Apple Keychain

Recover Apple Keychain

speckx

Comments (30)

  • nasretdinov
    When I first switched to Mac from Windows I was really fascinated by the fact that generally you _could_ figure things out on your own and fix your system by just examining the filesystem structure (in recovery root shell). E.g. I once decided I want to try out Mac OS X server on my laptop and for whatever reason the install process got stuck, preventing me from logging in. To fix it I've just rebooted in recovery mode, found some lock file present (something like server-install.lock), removed it and then got my desktop back :). I was able to do it because the naming conventions in the OS filesystem were so easy to understand. I've then discovered that my "Sharing" preferences pane also disappeared and I was able to find it in the system folders, renamed to "Sharing.prefpane-stowed-away" or something like this. I've removed the unnecessary suffix and got my prefpane back.I don't think modern macOS is as easy to tinker with anymore and I never had the need to fix it manually ever again either — but it felt incredibly cool to be able to fix it myself without any manual or even internet access for that matter.
  • oneplane
    There is a lot of documentation from Apple on how all of this works, but this is indeed expected behaviour. A way to make this smoother would have been: 1. Doing the password reset 2. Reboot straight back into recovery 3. Update your new password back into your old password 4. Boot into macOS, your default keychain will unlock but you'll still have to re-authenticate to iCloud since your machine-user identity combo will no longer match with what iCloud expects. (not sure if this is part of Octagon Trust, but there are various interesting layers to this) Check the escalation path of key revocation for example where you don't just have longer time delays but also stricter environments where new attempts can be made (near the end): https://support.apple.com/en-gb/guide/security/sec20230a10d/...There are a number of much more in-depth technical guides and specs, but just listing out random articles (or the Black Hat talk(s)) would probably rob someone of a nice excursion into platform security.
  • nabbed
    Based on this description, it sounds like someone walking past your unattended desk and bent on disrupting your day but not stealing your data, could enter in a garbage password into the lock screen a few times and lock you out of your own laptop.I guess the same also works for cloud accounts as well. I remember, back in the mid-2000s, trying to log into my hotmail account (never having failed to log in before) and getting a "locked out due to too many bad passwords". So someone, only knowing my user account name (which was the same as my email address), locked me out of my own account. The problem was, I couldn't remember what my recovery accounts were (I eventually figured it out).
  • Brajeshwar
    I kinda feel uncomfortable with the comfort of Touch ID. So, I tend to type Passwords once in a while to keep my muscle memory, especially for key accounts, which are the entry points to other Passwords (Apple, 1Password, Google, etc.).These days, I believe that the only reason one does not get such misfortunes of being hacked/attacked, is that most of us are not important enough to get the attention of any external threats. Hence, mostly luck more than actually being secure.I have been working towards a process/pattern, as a last resort, to be able to walk out of anything and have backup options when misfortunes strikes or my luck runs out. I don’t even know the path yet.
  • xd1936
    It Just Works™... until you don't want to take the default option. I'm sure your average user would just be SoL if going through this same experience.
  • dwaite
    You can also just open the old keychain using the old password.
  • znnajdla
    Is there a way to sync passkeys out of Apple Passwords / Keychain? I dread an iCloud lockout.
  • JSR_FDED
    Forgetting what the password is because you always just use the fingerprint reader…that’s why for elderly family members I nowadays set it up not to use the fingerprint any more. I thought they’d be annoyed but funnily enough they experience it as a sense of agency, that they are the one unlocking the computer and are in charge of it.
  • fastaguy88
    Apple Keychain has a number of old bugs that have caused me to have to resort to this strategy several times. The most common problem is having a secure note that you can open, but then immediately disappears (closes). Copying over an older keychain database can sometimes solve the problem.
  • dpark
    Is there really no supported model for this scenario? Surely the point of an iCloud backup is that you can restore from the cloud rather than do a local hack to try to regain access to locked keychain db.What happens if you just set up the device as a new machine and login to your iCloud like normal?
  • zapkyeskrill
    Good information to have. I was surprised by step 2 though (rm login.keychain-db). How can you be absolutely sure it doesn't contain anything important and you won't need it later?I'd probably opt for a more defensive action here and just rename it (like the original reset did).
  • m463
    This is one of those articles that either people will stumble upon when they are up a creek without a paddle... or... something 100 ai slop articles will poorly summarize in their "11 ways to recover your icloud data" article.
  • bigiain
    > Still, I had assumed there might be some kind of master key that would handle this automatically during a password reset.This assumption, by a clearly technical person, is a fundamental problem that keeps "the rest of the world" locked in to centralised services where that is true, and where that master key can be used against them by law enforcement, fascist regimes, and surveillance capitalists.