When and by who was a password changed
I have created a specific account on my Mac (called skype) to use with risky software, Skype. This account is a standard account.
Since I didn't want to use this account very often, I saved its password in an encrypted file and I am fully sure of the password.
Today I can't login on this account. Once I type the password for the skype account in the login window, the password area is shaking which should mean "wrong password". I checked that the usual suspects aren't playing here:
- the doomed caps lock isn't involved,
- by pressing ⌘+space I checked that the mapping of my keyboard is the one I want,
- I used
/usr/bin/su skypeto check its password and it is rejected.
The conclusion is clear: the password of the skype account was changed, or is failing after a MacOS X upgrade.
- I didn't changed it
- I am the sole administrator of this Mac.
- There isn't even a
guestaccount set.
I would like to find what might have happened to block this account.
1st step of investigation:
- how to find when an account password was last changed?
- how to find through which method it was changed, either with the graphical interface of
System Preferences...or with thepasswdcommand, or through none of these and with the use of a security vulnerability?
The Mac where this incident happened is running High Sierra 10.13.5.
Solution 1:
You can get the last time a password was changed by using dscl:
$ dscl . read /Users/<username> | grep passwordLastSetTime -A1
You will then get a result similar to the result below; the time will be in epoch (Unix) time.
<key>passwordLastSetTime</key>
<real>1489446910.113889</real>
Then, to convert epoch to something useful, you need to drop the mantissa (fractional part) since epoch is measured in nano seconds (useless for our purposes here)
$ date -r 1545267484
Wed Dec 19 19:58:04 EST 2018