New Mac, needs a backdoor account
I've always first set up a new mac with a backdoor so that I can get administrator access in case I ever royally screw it up. This has saved me more times than I care to remember.
TL:DR — It takes only a couple of minutes to set up a backdoor administrator account on macOS. Its totally worth it.
I don't use any device these days that I can't set up exactly how I like it without other administrators interfering. Also, I think it is just an old behaviour I have from decades ago at Sun, but I've always made sure I have multiple routes to administrator on any computer I own. So its one of the chores I undertake when I get a new computer. My backdoor administrator account always has the same name and password on every computer I have.
This is because when you need it you need it and it would be inconvenient to have to look it up. I wont tell you what it is but for the purposes of this article lets assume the username is backdoor and the password is bd. Of course, it isn't on my real devices.
macOS backdoor account setup
As this is always the first account I ever set up on a mac I know it will be Unix user id 501. this doesn't seem to matter much these days for macOS, but on all my Mac's I try to use the same id.
I like to have a simple password bd. macOS doesn't like this though. It is too short. You have to enter a longer password in macOS setup. I don't know when macOS stopped allowing you to override the policies but now password policies are controlled by a set of account policies, managed by a tool called pwpolicy You can use this tool to manipulates password policies for a particular user on macOS.
Because I want a short password, I cleared the policies for this user and was able to set my short password from the terminal.
% pwpolicy -clearaccountpolicies
Password for authenticator backdoor:
Clearing global account policies
% passwd backdoor
Changing password for backdoor.
Old Password: youroldpassword
New Password: bd
Retype New Password: bd
################################### WARNING ###################################
# This tool does not update the login keychain password. #
# To update it, run `security set-keychain-password` as the user in question, #
# or as root providing a path to such user's login keychain. #
###############################################################################
% security set-keychain-password
Old Password: yourldpassword
New Password: bd
Retype New Password: bd
As you can see, I had to seperately update the login keychain password. But now I have my backdoor admin account, and can go on to set up my real day-to-day user account.
