Terminal command to change a user password on a Mac

Update May, 2019

Now that there are SecureToken users, the command below no longer works to reset another user’s password. Thanks to mario on the MacAdmins Slack for testing.


Just a cleaned-up version of directions from Mac Script to change Administrator password

Changing a user password via terminal command

If you ever want to—perhaps for scripting purposes?—change a user’s password from the command-line (despite what it says in the link above, you don’t have to be logged in as the user to change the user’s password, but you do have to be logged in as an admin user), these are the commands you’d use:

sudo /usr/bin/dscl . -passwd /Users/username newpassword
sudo security set-keychain-password -o oldpassword -p newpassword /Users/username/Library/Keychains/login.keychain
Substitute in the actual user’s username for username, the actual user’s old password for oldpassword and the actual user’s new password for newpassword.

If you don’t know the old password…

If, for some reason, you (and the user both) have forgotten the user’s old password and don’t want to deal with keychains issues, you can also just delete the existing keychain (instead of running the second command to update the keychain password):

sudo rm -r /Users/username/Library/Keychains/*

Security issues

One strong caveat is that the terminal, by default, will save commands to ~/.bash_history in plain text, so you’re essentially storing a user’s password in plain text, unless you temporarily disable bash history or later go into the ~/.bash_history file with a text editor (like nano) and delete the offending lines manually.

If you distribute this as part of a .pkg, nothing will be visible in a .bash_history file, but make sure you keep that .pkg extra secure or delete it after deploying it.

7 responses to “Terminal command to change a user password on a Mac”

  1. Thanks so much for this guide! It really came in handy for me after I forgot my admin password and needed to reset it. Luckily, I had given my local user account sudo privileges and was able change the admin password via the terminal using this guide, even though I had no idea what the admin password was! Just another reminder never to give users sudo privilege unless you own both the admin and local account!

  2. If you do not want the password to appear in the history and don’t want to mess with the history, try:
    read pass
    sudo /usr/bin/dscl . -passwd /Users/username $pass
    The password will be stored in $pass and instead of the plaintext password just the string “$pass” will apear in the history.

  3. I have a user who forgot her password, so I want to kill the keychain using your command (sudo rm -r /Users/username/Library/Keychains/*) then I don’t know how to set up a new password for that account.

  4. After try this command #sudo /usr/bin/dscl . -passwd /Users/Admin , I’m not able either to login with my new password or the old one. The second command doesn’t even work (#sudo security set-keychain-password -o oldpassword -p newpassword /Users/Admin/Library/Keychains/login.keychain)
    What happened?

  5. If you don’t want to leave the password in the history you can just omit the password in the command and it will ask you interactively.

    sudo /usr/bin/dscl . -passwd /Users/foxt
    sudo security set-keychain-password

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.