User profile for user: nudluhc
nudluhc Author
User level: Level 1
4 points

macOS Password Reset Security (M1 vs. Intel)

Hey everyone,

I'm currently running a Proof of Concept (PoC) for password reset procedures on two different MacBooks, and I've hit a strange wall with the initial boot process and the security requirements—the starting point is completely different.

Crucial Context for the Intel Mac: This specific MacBook Pro 15" (2018 / Intel i7) has been stored for a long time, and I have no prior knowledge of its configuration, what security settings were applied, or who the previous user was. I'm just using it for a random comparison test, and this is its current state!

Here's what I'm observing:

  • Apple Silicon Device (M1 Max / macOS Sequoia):
    • Boot: Normal. Shows the login screen first.
    • Reset Process: When in Recovery Mode, after the "Deactivate Mac" prompt (which needs internet), the system requires NO Apple ID or local password credentials to proceed with the password reset.
    • Crucial Detail: I tested this process with "Find My" both ON and OFF. In both scenarios, the reset process remained the same: no authentication was needed after the device Deactivation step.
  • Intel Device (2018 i7 / macOS Sonoma): This is the weird part.
    • Boot: As soon as I hit the Power button, it immediately bypasses the standard graphical login screen and jumps straight into Internet Recovery Mode (the spinning globe icon), without the need for $\text{Command} + \text{R}$ or anything!
    • Reset Process: Once in Recovery Mode, the system immediately demands the Apple ID credentials associated with the machine before I can even access the Terminal or the Reset Password utility.

My Questions are two-fold:

  1. What established security setting or specific condition would cause this Intel-based MacBook Pro (running Sonoma) to automatically boot into Internet Recovery Mode right away, skipping the local login screen entirely? (Given its unknown history, is this a strong indication of a Firmware Password or Activation Lock being active?)
  2. Why is the security model so fundamentally different? Why does the Intel Mac strictly require the Apple ID to access utilities, while the Apple Silicon Mac allows the reset with NO authentication needed after the simple Deactivation step—even when "Find My" is active?


Any insights into these two major differences and how the Intel Mac's unknown history might contribute to this behavior would be hugely helpful for our lab procedures. Thanks in advance for the expertise!

Posted on Dec 4, 2025 12:48 AM

Reply
3 replies
User profile for user: azaksalmarzur28
azaksalmarzur28
User level: Level 2
426 points

Dec 4, 2025 1:52 AM in response to nudluhc

Your Intel T2 Mac boots directly into Internet Recovery because it likely has missing local recovery, and possibly a firmware password or prior Activation Lock. Unlike Apple Silicon, Intel T2 Macs enforce Apple ID authentication before allowing access to Recovery utilities.


Apple Silicon devices use a newer security model where wiping the device is always allowed, and Activation Lock is enforced later at activation—hence why no credentials were required on the M1 system.

Reply
User profile for user: neuroanatomist
neuroanatomist
User level: Level 9
55,605 points

Dec 4, 2025 7:02 AM in response to nudluhc

nudluhc wrote:

Does this mean that if an M1 MacBook is stolen, a thief could easily reset the local user password and access the device? This seems somewhat ironic given it is promoted as a 'newer security model.' Could you please clarify this apparent loophole?

Also, with all due respect, I need concrete evidence for my report. Do you have, or are you aware of, any official technical documentation from Apple that details this specific security model where local password reset is permitted without credentials, even when 'Find My' is active?

The documentation, such as it is, is here:

If you forgot your Mac login password - Apple Support


The Terminal method allows a password reset and access to the Mac and all data on it except keychains and encrypted disk images, IF FileVault was not enabled on the Mac. If FileVault was enabled, the FileVault Recovery Key will also be needed. IMO, this is why Tahoe now turns on FV by default – the password reset is something of a gaping security hole albeit one of which not many people are aware.


Regarding FindMy, what do you mean by 'active'? If you just mean that FindMy is turned on, that's not enough. To lock out the Mac with FindMy, you need to turn on Lost Mode.


Turn on Lost Mode for a device in Find My on Mac - Apple Support


Reply
User profile for user: nudluhc
nudluhc Author
User level: Level 1
4 points

Dec 4, 2025 2:02 AM in response to azaksalmarzur28

Does this mean that if an M1 MacBook is stolen, a thief could easily reset the local user password and access the device? This seems somewhat ironic given it is promoted as a 'newer security model.' Could you please clarify this apparent loophole?


Also, with all due respect, I need concrete evidence for my report. Do you have, or are you aware of, any official technical documentation from Apple that details this specific security model where local password reset is permitted without credentials, even when 'Find My' is active?

Reply

macOS Password Reset Security (M1 vs. Intel)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up