How to force the Mac to not expire passwords?
This morning, when I logged into my Mac, it forced me to change my password. Because I'm unlikely to remember a new password, I had to choose an insecure password that will be easier to remember.
It also won't let me change the password back.
I went to the Security & Privacy settings and found NOTHING that can control this behavior.
Everything on the Internet that is even remotely related is about Active Directory, but I'm sure this thing isn't using Active Directory.
How do you make a Mac NOT do this?
The feature is controlled by a tool called pwpolicy
. Running pwpolicy -getaccountpolicies
outputs an XML document. One of the things found in this XML is this:
<key>policyCategoryPasswordChange</key>
<array>
<dict>
<key>policyContent</key>
<string>policyAttributeCurrentTime > policyAttributeLastPasswordChangeTime + (policyAttributeExpiresEveryNDays * 24 * 60 * 60)</string>
<key>policyIdentifier</key>
<string>ProfilePayload:deadbeef-b187-1337-1ee7-abcdef123456:maxPINAgeInDays</string>
<key>policyParameters</key>
<dict>
<key>policyAttributeExpiresEveryNDays</key>
<integer>90</integer>
</dict>
</dict>
</array>
Delete that from the XML document and then consume the altered document using:
pwpolicy -setaccountpolicies <file.xml>
and the problem should go away. But there is a pitfall. If you dump the XML using the shell's >
operator, edit the file, and pass it back to pwpolicy
, you'll get this error:
Error: The data is not in the correct format.
The reason for this error is that pwpolicy -getaccountpolicies
prints the following before printing the XML:
Getting global account policies