I think on previous versions of OS X, password were stored in the /etc/shadow file.
Nevertheless, this file doesn't appear to exist in the later versions of the operating system – specifically OS X 10.9 which is the first of the non-cat named OS releases.
Does anyone know where the password hashes are stored on OS X Mavericks?
Best Answer
Starting with Lion, OS X introduced a shadow file per user that is a plist dictionary that contains password hashes and other GID/UID/kerberos and open directory type keys.
The shadow files are stored on the filesystem at
/var/db/dslocal/nodes/Default/users
. They are in plist format so you'll need to use the plutil command to view them or use the defaults command to extract/write specific keys if desired. Only theroot
user has access to the files.To view the contents of a shadow file for a user:
To get the hash:
Where
<username>
in the above examples is the user you're looking for the hash for. You want the<data>
section that corresponds to the<key>entropy</key>
key in that plist output.To continue on to try and crack the password see this tutorial.