Home > Mac administration, macOS > Changing local account passwords may cause new login keychain to be silently generated on macOS High Sierra

Changing local account passwords may cause new login keychain to be silently generated on macOS High Sierra

As part of my testing of macOS High Sierra, I’ve noticed that login behavior has changed for local accounts, in cases where the password of the login keychain is different from the password of the account logging in.

On macOS Sierra, the following behavior occurs when the password of the login keychain is different from the password of the local account logging in:

1. The login process pauses
2. You’re prompted to continue login, create a new keychain, or update the existing keychain password.

Screen Shot 2017 09 23 at 4 46 06 PM

3. If you choose to update the existing keychain password, you enter the keychain’s current password (which is usually the account’s former password.)

Screen Shot 2017 09 23 at 4 46 21 PM

4. The login process proceeds and the desktop comes up.

On macOS High Sierra, the following behavior occurs when the password of the login keychain is different from the password of the local account logging in:

1. The login keychain with the different password is renamed to login_renamed_number_goes_here.keychain-db and stored in ~/Library/Keychains.

Screen Shot 2017 09 23 at 8 01 46 PM

2. A new login keychain is created in ~/Library/Keychains. The new login keychain is named login.keychain-db and uses the password of the local account logging in.

Screen Shot 2017 09 23 at 8 01 50 PM

Note: This is behavior I’ve observed for local accounts only. I have not been able to test with network accounts, like Active Directory mobile accounts.

Update 9-26-2017: This behavior was addressed in the betas for Active Directory mobile accounts:

The reason why this behavior is problematic is that anything stored in the former login keychain is not transferred to the new login keychain. Saved passwords, certificates, and any other secrets stored in the now-former login keychain will not be present in the new login keychain. They will need to be manually copied, or re-saved into the new login keychain.

For more details, see below the jump.

I’ve been able to reproduce this behavior in the following ways:

1. Open Keychain Access
2. Under the Edit menu, select Change password for keychain “login”…

Screen Shot 2017 09 25 at 5 53 09 PM

3. Change the password of the keychain to be different from the account’s login password
4. Log out of the account
5. Log back in

1. Log in as a different account with administrator privileges
2. Open System Preferences
3. Select Users & Groups
4. Click the lock icon and provide administrator credentials when prompted.
5. Select the relevant account
6. Click the Reset Password button.

Screen Shot 2017 09 23 at 7 58 45 PM

7. Change the relevant account’s password.

Screen Shot 2017 09 23 at 7 59 20 PM

8. Log out of the different account.
9. Log in as the relevant account.

Categories: Mac administration, macOS
  1. Jorge
    September 25, 2017 at 11:37 pm

    I’m also seeing this behavior with our Active Directory accounts. Except, when logging in with a smart card, I get a GUI prompt similar to previous OSs. But there are only 2 options instead of the usual 3. No more button for “Continue Log In”.

  2. mat
    September 26, 2017 at 3:10 pm

    This, the AD mobile Touch ID issue and AD mobile pwd change issue is making this release an absolute soggy breakfast for the enterprise environments.

  3. stutz
    September 26, 2017 at 5:27 pm

    I figured I would mention this as I just got it this morning from Apple as we purchase their Enterprise Connect tool:

    Hello,

    Mac systems running macOS High Sierra in your organization may be impacted by an issue that prevents Active Directory password changes from working properly.

    You may be impacted if Mac systems in your organization meet both of the following criteria:
    Mac systems are bound to Active Directory
    Users log into their Mac systems with Active Directory accounts (mobile accounts)
    If you are impacted by this issue, changing your Active Directory password will appear to succeed, but the password will not be changed. If your users log into their Mac systems with local accounts (not mobile accounts) they will be unaffected.

    Any tools that can change the password for an Active Directory based mobile account will be affected. This includes Enterprise Connect and the Users & Groups System Preferences pane.

    This issue will be fixed in an upcoming macOS High Sierra update.

  4. September 27, 2017 at 11:31 am

    Apple is not making things simpler but more complex. Also what we had in Keychain was a shortcut that you could invoke in the menu bar in the preferences of Keychain. That is now gone and been placed in the menu below the Apple, but what it doesn’t do is give you a completely black screen, you have to dim your screen manually and on an iMac this cannot be done. I don’t doubt that people will find other irritants like this in High Sierra and scratch their head and wonder who the dimwit Apple thought this sort of thing up. The definitely need the registry screw up you described. I have only found it affecting my old MBP 17″ which is gathering dust and I just wanted to see what High Sierra would look like on it. It now a snail in a cheetah world.

  5. BB
    September 30, 2017 at 6:18 pm

    I´am using for years a different password for my login keychain. With 10.11 there was no problem, 10.12 does not login iCloud automatically.

    The described request:
    1. The login process pauses
    2. You’re prompted to continue login, create a new keychain, or update the existing keychain password.
    occurs only once. After this, it is possible to have a different password for the login keychain.

    I also created a new keychain 5 years ago and renamed my old login-keychain. The intention was to move over the remained passwords, but it is not possible to move more than one keychain Item and for every move it is required to type in the password. So I live with 2 keychains, no problems so far.

  6. October 13, 2017 at 4:08 pm

    i agree with BB this also worked for me

  7. October 28, 2017 at 5:35 pm

    BB worked for me too

  8. Dr. Philip Inglesant, post-doctoral researcher, University of Oxford
    November 13, 2017 at 4:07 pm

    Just wasted the best part of a day on this, after upgrade to High Sierra. I ALWAYS have a different password for my login keychain than for my local account.
    But High Sierra “helpfully” changed it to the same as my local account, then did just as you say, moved all of my passwords to a hidden keychain which I only found by importing it.
    Since I have an encrypted external drive and encrypted file vaults this was VERY inconvenient.
    Thanks, Apple! Now I know why you are the world’s largest company.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: