When and by who was a password changed

I have created a specific account on my Mac (called skype) to use with risky software, Skype. This account is a standard account.

Since I didn't want to use this account very often, I saved its password in an encrypted file and I am fully sure of the password.

Today I can't login on this account. Once I type the password for the skype account in the login window, the password area is shaking which should mean "wrong password". I checked that the usual suspects aren't playing here:

  • the doomed caps lock isn't involved,
  • by pressing +space I checked that the mapping of my keyboard is the one I want,
  • I used /usr/bin/su skype to check its password and it is rejected.

The conclusion is clear: the password of the skype account was changed, or is failing after a MacOS X upgrade.

  • I didn't changed it
  • I am the sole administrator of this Mac.
  • There isn't even a guest account set.

I would like to find what might have happened to block this account.

1st step of investigation:

  • how to find when an account password was last changed?
  • how to find through which method it was changed, either with the graphical interface of System Preferences... or with the passwd command, or through none of these and with the use of a security vulnerability?

The Mac where this incident happened is running High Sierra 10.13.5.


Solution 1:

You can get the last time a password was changed by using dscl:

$ dscl . read /Users/<username> | grep passwordLastSetTime -A1

You will then get a result similar to the result below; the time will be in epoch (Unix) time.

<key>passwordLastSetTime</key>
<real>1489446910.113889</real>

Then, to convert epoch to something useful, you need to drop the mantissa (fractional part) since epoch is measured in nano seconds (useless for our purposes here)

$ date -r 1545267484
Wed Dec 19 19:58:04 EST 2018