How Mac OS X Implements Password Authentication, Part 2 - Dave Dribin's Blog

In this article, I'm going to get right down to the nitty gritty of OS X password implementation on 10.2, 10.3, and 10.4. I assume you have some knowledge of cryptographic hashes and algorithms. I will also assume you have knowledge of Unix password systems, since OS X passwords are (not surprisingly) heavily based on Unix implementations.

The most obvious difference from Unix implementations (which is common to all current versions of OS X) is that the user information is stored not in flat files like


and friends, but an actual database, called NetInfo. The problem is flat files just don't scale beyond small systems. The history of NetInfo goes all the way back to NEXSTEP, and is similar in concept to NIS from Sun and the LDAP protocol. All these non-compatible solutions store user information in a database, instead of flat files to improve performance and scalability. These days, LDAP has pretty much beaten out the other two systems in the Unix enterprise, but NetInfo persists on desktop versions of OS X. I presume this is because it works and it's just not worth changing at this point. NetInfo provides some nice Unix compatibility features. One example is the command to dump the NetInfo user database in standard Unix


file format:

% nidump passwd .

This is where things start diverging between OS X versions. In OS X 10.2 (and presumably 10.0 and 10.1), the hashed password is stored directly in NetInfo. It also uses the standard Unix DES hash. Since all users have access to the complete NetInfo database, any user on the machine may run the


command above and get every user's hashed DES password. To illustrate this point, let's say we have a fictitious user with the login of "sjobs" and password of "macintosh":

% nidump passwd . | grep sjobs sjobs:3dI880QaIz.Wk:501:501::0:0:sjobs:/Users/jobs:/bin/bash