What is accessible to an attacker who has reset my administrator password?

security password firmware-password

Solution 1:

If FileVault is enabled, booting into single user mode requires a password, so neither of the methods for resetting the password in single user mode work.

As others have mentioned, resetting the login password doesn't reset the password of the login keychain. I tried resetting the login password a few months ago. I could access most files normally, but not my account in Mail.app or auto-filled passwords in Safari. But I could access my Gmail account from Safari because I had set it to log in automatically.

The login password (but not the password of the login keychain) can also be reset with an Apple ID. There's a checkbox for allowing that when creating an account. I think it was checked by default. The option can be disabled later in the Users & Groups preference pane. If the option was enabled before you turned FileVault on, you cannot disable it without turning FileVault off and back on. See Michael Tsai - Blog - FileVault 2’s Apple ID Backdoor.

1. Are all user accounts still present?

Yes. And all of their passwords can be changed separately, or from the Users & Groups preferences after logging in to (or creating) one adminstrator account.

2. Are all keychains still present, or are they reset or cleared as part of the password creation process?

The keychains aren't removed, but the login keychain isn't unlocked automatically after the login password is reset.

3. If the keychains are still present, does the (new) administrator have access to the contents of existing keychains.

Not without knowing their passwords.

4. Are any files (other than keychains) erased or reset as part of the process?

I don't know, but you can access most files normally.

Solution 2:

If someone has your administrator account, everything on the machine is accessible to them. People in IT Security circles say "Physical access = Total access".

Keychains can only be unlocked with the keychain password. If an account password is changed/updated without being logged into the account AND having the relevant keychain unlocked, the keychain password doesn't change.

Meaning, someone could get access to your account perhaps, but not your keychain, without the original password. The account and keychain passwords fall out of sync with one another.

FileVault protection similarly, will remain in place until unlocked using the correct password. I don't believe having root access on the machine allows you to unlock the keychain or the file vault account without the relevant passwords.. that's the whole point.

Of course, theoretically a hacker with godlike skills, patience, and knowledge could manually edit the relevant passwd files to be whatever he/she wanted it to be (if they had root access), but the probabilities of this happening is somewhere between zero and nil.

Related

Valgrind Alternative for Mountain Lion
JDiskReport is damaged, can't be opened
How can I associate OpenOffice documents with OpenOffice apps instead of TextEdit?
What is creating a file with the name "1" in my user folder after I delete it repeatedly?
Can Mountain Lion take a sleeping Mac and write the RAM to disk after a timeout?
What is the ellipsis badge on minimized terminal app in the dock mean?
What features are lost on the Lightning to 30 pin dock adapter?
Is it possible to set Magic Trackpad option via Terminal?
Emptying Camera Roll on iOS 6
How to block "Twitter’s Promoted Tweets" on iOS
How can I keep ~/Library visible in (Mountain) Lion
Limit list of apps user can launch?