Changed user password by providing new password as hash not syncing to filevault 2
I have been using
defaults write "path/to/username.plist" shadowhashdata '(really long hash info)'
to administer a local support account on our Mac's but I have found, and it may be since updating to 10.10.1, that the file vault password is not getting updated when this is run.
Solution 1:
Updating an account's password for the FileVault 2 pre-boot login screen needs to involve the opendirectoryd process when changing the account's password. Writing the new password hash directly to the plist file bypasses opendirectoryd, so the password sync process never kicks in.
If you need to change the password this way, you may need to remove and re-add the user account with fdesetup. This will flush the old password's derived key for FileVault 2 and set up a derived key for the new password.
Remove:
fdesetup remove -user username_goes_here
Re-add:
fdesetup add -usertoadd username_goes_here
Note: As part of doing the remove and re-add, you will need to provide either the password of a FileVault 2-enabled account or a personal recovery key associated with the machine in order to authorize the changes. One thing that's important to keep in mind is that once you run fdesetup remove for your local administrator account, the account will no longer be enabled for FileVault 2 and will not be able to authorize the running of fdesetup add. Make sure you have a personal recovery key available or enable another user account for FileVault 2, then use the recovery key or that second account's password to authorize the re-adding of your local administrator account.
Commentary: I asked about the practice of writing password hashes to plist files in order to change passwords while I was at this year's WWDC. I received the following feedback from Apple engineers:
"That's horrifying. Don't do that."
https://forums.developer.apple.com/message/8028