Password Utility FAQ

Is authenticated restart the same as skipping FileVault?

No, FileVault is not turned off or skipped with authenticated restart. Authenticated Restart unlocks the disk at startup using the credentials provided prior to restart. The data is still encrypted with the user’s password and cannot be accessed in recovery without entering the user’s password (or a recovery key). The user’s password is still required at Login Window. When you are rebooting, it is going from a booted, unlocked state to an unauthenticated, unlocked state. Requiring the FileVault password at first boot does provide some protection from malware and bad actors that need to reboot the machine after attack, but not during a reboot or power outage. 

Is copying the local password to the pasteboard an issue? 

MacOS has protections from other apps copying information from the pasteboard . However, anytime a cleartext password is available, it should be used cautiously. Password Utility checks the pasteboard after 30 seconds and removes the password if it is still on the pasteboard. Using a password manager and copying/pasting a password has similar risks.

How is the local password stored in the keychain?

When a user authenticates at the Login Window, macOS routes the authentication through a series of mechanisms called Pluggable Authentication Modules, or PAM. Password Utility installs a PAM to save the password to the user’s keychain and set it so only the Password Utility app has access to the password without prompting the user. The user’s keychain itself is secured with AES-256 encryption. 

What happens if I forget my password?

We recommend that you keep a secure copy of your password outside your Mac. The easiest way to do this is to save the password to the Password app and have iCloud syncing enabled. The password will then be available securely on your other devices if you ever need it. To do this is simple:

1. Open the Password App
2. Select File->New Password…
3. Name it something like “Mac Local Password” and enter in the username and password.
4. Click Save.
5. Verify that it is now available on your other devices.

How does it work?

Password Utility consists of a menu item, a helper process, a PAM module, and a launch agent that runs when the login window shows.

At the core of the system is the PAM module that stores the local user password at login to the user’s keychain and sets it up to only allow the Password Utility app to access the password to authenticate.

The menu item launches automatically in the user session and uses the local password in the keychain to silently set macOS to authenticate FileVault on next reboot. The menu item app also authenticates every hour to prevent Touch ID from timing out.

The launch agent runs whenever the Login Window is shown, and if there is a user password in the System Keychain, it sets macOS to authenticate FileVault on next reboot. This is helpful if the Mac reboots before a user logs in.

Depending on the how the Mac is used, FileVault can be set to unlock either before logging in or after. For example, if the Mac is a single user Mac that is typically used every day, setting FileVault to be unlocked using the user’s password makes sense. If it is a server or a lab Mac that may be shutdown or restarted without anyone logging in, then unlocking FileVault before logging in would be most appropriate.