How your Mac locks you out for more and more time when entering the wrong password
The old TV and movie trope of someone sitting down at a keyboard and rapidly trying a bunch of passwords to “hack the mainframe” never really worked. But protections that Apple built into macOS with the introduction of a Secure Enclave into its computers have taken it from imaginary and futile to completely absurd.
It is true that many computer systems, via terminals or direct physical contact, lack a throttle or any protection against so-called “brute force” attacks. You could sit there and type endless potential passwords or, more likely, find a way to run software that would simulate super-rapid password entry. (Some companies have sold or still sell tools designed to automate password cracking on iPhones and iPads, particularly of numeric PINs and common passwords, but Apple keeps building techniques to deter them.)
On Intel Macs with a T2 Security Chip and all M-series Apple silicon Macs, the Secure Enclave enforces limits Apple sets about the number of times you can fail to enter the correct password for an account. It’s generally unlikely you will forget the password for a Mac you use actively. You may notice that even if you’re using Touch ID or an Apple Watch to unlock your Mac you are routinely asked for the account’s password. That’s designed to help remind you. If you restart your Mac, you have to enter a password for an account that’s allowed to start it up, too. (If you have FileVault enabled, which I recommend, the account has to be set to allow FileVault logins after starting up or restarting.)
However, sometimes your password winds up memorized by your fingers—I’m sure you’ve had this happen. I recently had to reset an iPhone I kept for beta testing and an iPad mini because I absolutely forgot the six-digit PINs on each, despite having entered them for years. I stumbled while tapping the PIN in once and realized I had been entering the PINs so automatically that I couldn’t recall them to conscious memory. I had to reset both devices—and I used a secure password manager to store their PINs. Of course, that requires that I remember the unlocking password for the password manager but I enter that sometimes multiple times per day, and have escrowed it with my spouse as well.
You can disable locking on your Mac but consider that you could lose track of its password if you aren’t required to enter it for long periods of time.
Foundry
You may also have some Macs you use infrequently enough or ones that you leave logged in without requiring a password to unlock it, that, among the many passwords you have used in your life, the Mac account’s password now escapes you. (You can disable two kinds of automatic locking by setting System Settings > Lock Screen > “Require password after the screensaver begins or display is turned off” to Never.)
The first three times you enter a macOS account’s password incorrectly, you’re chided but not delayed. Then delays start: after the fourth time, you have to wait 1 minute; after the fifth, 5 minutes. This increases to 15 minutes, 1 hour, 3 hours, and then 8 hours after the ninth time. After the 10th time, you have to turn to macOS recovery, where you get another 10 attempts with the same escalating delays. Exhaust those, and you can try to use the FileVault recovery key process (if FileVault is enabled) and iCloud-based account password resetting. If you’re in a company that has a “FileVault institutional key,” you get another 10 attempts.
After you enter an account password incorrectly, macOS starts prompting you with offers of help before it starts informing you of a timeout before the next entry.
Apple
Restarting during this process resets the current timer. So if you’ve waited four of the eight hours of a timeout and restart, you then have to wait another eight hours. After all the above versions of 10 attempts are exhausted, the drive is unrecoverable even if figure out what the correct account password should be.
Once you log in, these timeouts disappear, which Apple says is to prevent malware that could run in an actively logged-in session from intentionally disabling your device through failed login efforts.
This Mac 911 article is in response to a question submitted by Macworld reader Real.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com, including screen captures as appropriate and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.
MacOS, Password Managers
