Login

u/jestemzturcji

▲ 5 r/osx+1 crossposts

Keychain is lost after password change

Hi everyone,

I’m trying to recover Safari Keychain passwords after a macOS password reset for my good friend, and I’d appreciate some guidance.

Device / OS

  • MacBook Pro 13" 2020, Intel
  • macOS Sonoma 14.6.1

My friends kid entered the Mac login password incorrectly many times. After that, he reset the Mac login password using the Apple ID option. After logging back in, all Safari/password entries were gone. Only passwords that were already present on the iPhone/iCloud seem to have synced back.

  • iCloud Keychain is enabled.
  • In Keychain Access, several renamed login keychains appeared:
    • login_renamed_1
    • login_renamed_2
    • login_renamed_3
  • These can be added/opened in Keychain Access, but they seem to contain mostly newer/synced data, not the missing old Safari passwords.
  • The current login.keychain-db is only about 130 KB, so it looks like a newly created login keychain after the reset.
  • Time Machine backup is not available.

There is folder i've found on the keychain:

~/Library/Keychains/UUID/

there is a keychain-2.db file, around 16.6 MB, originally created back in 2022 when the macbook first bought. This looks like the Local Items / iCloud Keychain database. My suspicion is that the old Safari/iCloud Keychain state might be inside this UUID folder, but I understand that keychain-2.db cannot simply be imported into Keychain Access like a normal login.keychain-db.

Files in that folder include:

  • keychain-2.db
  • keychain-2.db-wal
  • keychain-2.db-shm
  • user.kb
  • user.kb-invalid
  • some com.apple.security...TrustedPeersHelper database files

Unfortunately here is no Time Machine backup, but local APFS snapshots exist:

tmutil listlocalsnapshots /System/Volumes/Data

shows:

  • com.apple.os.update-(Most likely UUID number)
  • com.apple.os.update-MSUPrepareUpdate

We tried to mount one snapshot using:

sudo mount_apfs -s com.apple.os.update-(Most likely UUID number) /dev/disk1s1 /Volumes/oldsnapshot

but got:

mount_apfs: volume could not be mounted: No such file or directory

No files were modified; we were only trying to inspect the snapshot.

Is there any realistic way to restore or read the old Local Items/iCloud Keychain state from the UUID folder or from these APFS update snapshots?

Specifically:

  1. Can keychain-2.db from ~/Library/Keychains/<UUID>/ be restored safely if we can find an older snapshot version?
  2. Is there a correct way to mount these com.apple.os.update... APFS snapshots on Sonoma?
  3. If the old Safari passwords are not in iCloud/iPhone and there is no Time Machine backup, is recovery basically impossible?
  4. Is there any safe forensic method to inspect whether keychain-2.db contains old Safari website password entries, without damaging the current keychain?

I’m not trying to bypass security or recover someone else’s data. The owner knows the old Mac password and the Apple ID. We’re just trying to recover passwords lost after the Apple ID password reset / keychain mismatch.

Any advice from macOS/keychain experts would be appreciated.

PS. I've used AI to get together the sentences, unfortunately my brain is jelly due to doom scrolling and when I write things it's all over the place. So, this is not an AI post, I am human.

reddit.com
u/jestemzturcji — 14 days ago