alt.hn

3/30/2026 at 5:21:49 PM

Recover Apple Keychain

 https://arkoinad.com/posts/apple_keychain_recovery.html

by speckx

3/31/2026 at 12:14:19 AM

There is a lot of documentation from Apple on how all of this works, but this is indeed expected behaviour. A way to make this smoother would have been:

  1. Doing the password reset
  2. Reboot straight back into recovery
  3. Update your new password back into your old password
  4. Boot into macOS, your default keychain will unlock but you'll still have to re-authenticate to iCloud since your machine-user identity combo will no longer match with what iCloud expects. (not sure if this is part of Octagon Trust, but there are various interesting layers to this)
Check the escalation path of key revocation for example where you don't just have longer time delays but also stricter environments where new attempts can be made (near the end): https://support.apple.com/en-gb/guide/security/sec20230a10d/...

There are a number of much more in-depth technical guides and specs, but just listing out random articles (or the Black Hat talk(s)) would probably rob someone of a nice excursion into platform security.

by oneplane

3/31/2026 at 5:39:31 AM

The article was based on the heat or in the panic of the situation where i need to get work done for which i was being paid and also my search results on the icloud/keychain recovery didnt yield any useful the results.

by arkoinad

3/31/2026 at 1:18:28 PM

Oh yeah, you got the same process down pretty much yourself, wasn't an RTFM dig or anything like that. It was more aimed at others who might end up here, more tools, more better!

It's interesting how with some systems/engineering thinking you'll pretty much always get there in the end anyway, which is also why articles like yours are pretty neat. (sadly, not everyone takes the time to write things down and share them these days)

by oneplane

3/31/2026 at 7:46:16 PM

Thanks!

by arkoinad

3/30/2026 at 8:34:36 PM

Based on this description, it sounds like someone walking past your unattended desk and bent on disrupting your day but not stealing your data, could enter in a garbage password into the lock screen a few times and lock you out of your own laptop.

I guess the same also works for cloud accounts as well. I remember, back in the mid-2000s, trying to log into my hotmail account (never having failed to log in before) and getting a "locked out due to too many bad passwords". So someone, only knowing my user account name (which was the same as my email address), locked me out of my own account. The problem was, I couldn't remember what my recovery accounts were (I eventually figured it out).

by nabbed

3/30/2026 at 10:09:36 PM

Heck, once I cycled for half an hour with my iPhone in my pocket, and somehow the phone against my leg was in just the right position that it kept interpreting my leg movements as trying to enter a passcode.

Got home, pulled out my phone, and it had a message that it was locked for several hours due to so many failed passcode attempts. Incredibly annoying.

Still, only happened once in well over a decade of owning an iPhone.

I was mostly frustrated that there wasn't some alternate way of regaining access, like via my Mac or iPad logged in with the same Apple ID. Or that the failed passcode attempts didn't start eventually playing a loud alert sound or something on each failure.

by crazygringo

3/31/2026 at 2:15:56 AM

Yeah I used to get this a lot because I have my phone in my pocket when I'm doing land maintenance around the place here. It's massively annoying. That and watch gestures firing off and interrupting the music I'm listening to while I'm using powertools.

I've had to turn off a lot of features. All of the "raise to wake", always-on screens, gesture controls, movement controls on the watch, live activities on the watch, all sorts of stuff, anything related to movement or waking up the phone other than by a button press. Also had to turn the watch so the buttons are on the left to stop my gloves pressing them constantly.

It's a bit sad really, I think I've missed out on some decent features there. But compared to being locked out and/or having random actions trigger, it's an improvement.

by Nursie

3/31/2026 at 3:34:07 AM

>I've had to turn off a lot of features.

On my pixel 4a, I had to turn off a "call 911" feature that I think was initiated by shaking the phone. I took a couple of walks with the phone in my front pocket, and the movement from my leg called 911 (which I would only find out when the police would call me back to ask if everything is OK).

by nabbed

3/31/2026 at 6:07:13 AM

Yeah that is unfortunate and embarassing. I think I nearly called them a couple of times before I flipped my watch around.

Current gripe is that every so often, usually when my hands are busy, Siri interprets my "Hey Siri fast forward" to skip an ad on the podcast I'm listening to as an instruction to call Troy. Troy is a roofer I got to quote some work last year! He has picked up twice to me going "Sorry, really sorry, my robot called you ..."

by Nursie

3/31/2026 at 2:24:34 AM

It's even worse if you configure 10 incorrect attempts to wipe your device. This is fairly common apart of MDM Managed business provided devices.

by HDBaseT

3/31/2026 at 4:17:46 PM

In such situations I'll put it in Low Power Mode & Water Mode which works fairly well locks it down from stray input.

by riversflow

3/31/2026 at 1:06:28 AM

I wish there was a way to cap the lockout time.

It makes sense for 4 digit codes, but I have a 20ish character password, I once locked myself out, and it was an incredibly frustrating experience.

My password can't be brute forced even with offline access to the hash, there is no risk of it being brute forced from keyboard input.

by WatchDog

3/30/2026 at 9:21:34 PM

The description is misleading. What made the OS create a new keychain was resetting their login password, not the failed password attempts.

(The login keychain is encrypted using the user's password, so it's reasonable to create a new one when the password is changed - otherwise, you end up in a situation where applications constantly pop up prompts for a password the user doesn't know every time they try to access the keychain, e.g. to load saved passwords in Safari. I've seen this happen on older versions of macOS and it's positively infuriating.)

by duskwuff

3/31/2026 at 5:42:08 AM

Well i did mention that resetting my laptop password moved the old keychain to login-1.keychain-db.

by arkoinad

3/30/2026 at 8:40:02 PM

Remember entering password to one service I subscribed to. It was Friday evening. I typed it wrong 5 times and my account was locked out with a message to contact customer service. Customer service was open from Monday to Friday 9am to 5pm. So I was unable to use it for a couple of days. It was painful experience. I found an alternative though and on Monday cancelled it.

by varispeed

3/31/2026 at 7:42:58 AM

When I first switched to Mac from Windows I was really fascinated by the fact that generally you _could_ figure things out on your own and fix your system by just examining the filesystem structure (in recovery root shell). E.g. I once decided I want to try out Mac OS X server on my laptop and for whatever reason the install process got stuck, preventing me from logging in. To fix it I've just rebooted in recovery mode, found some lock file present (something like server-install.lock), removed it and then got my desktop back :). I was able to do it because the naming conventions in the OS filesystem were so easy to understand. I've then discovered that my "Sharing" preferences pane also disappeared and I was able to find it in the system folders, renamed to "Sharing.prefpane-stowed-away" or something like this. I've removed the unnecessary suffix and got my prefpane back.

I don't think modern macOS is as easy to tinker with anymore and I never had the need to fix it manually ever again either — but it felt incredibly cool to be able to fix it myself without any manual or even internet access for that matter.

by nasretdinov

3/30/2026 at 8:24:41 PM

It Just Works™... until you don't want to take the default option. I'm sure your average user would just be SoL if going through this same experience.

by xd1936

3/30/2026 at 9:54:56 PM

Keychain is one of the worst APIs on Apple platforms, with parts that date all the way back to MacOS 9. It's not surprising there are various breaking bugs from decades of low maintenance.

by jshier

3/30/2026 at 11:06:04 PM

You can also just open the old keychain using the old password.

by dwaite

3/31/2026 at 3:05:57 AM

I kinda feel uncomfortable with the comfort of Touch ID. So, I tend to type Passwords once in a while to keep my muscle memory, especially for key accounts, which are the entry points to other Passwords (Apple, 1Password, Google, etc.).

These days, I believe that the only reason one does not get such misfortunes of being hacked/attacked, is that most of us are not important enough to get the attention of any external threats. Hence, mostly luck more than actually being secure.

I have been working towards a process/pattern, as a last resort, to be able to walk out of anything and have backup options when misfortunes strikes or my luck runs out. I don’t even know the path yet.

by Brajeshwar

3/31/2026 at 3:34:27 AM

I think some people have a safe deposit box at a bank with paper copies of passwords

by bathtub365

3/31/2026 at 12:19:25 AM

Forgetting what the password is because you always just use the fingerprint reader…that’s why for elderly family members I nowadays set it up not to use the fingerprint any more. I thought they’d be annoyed but funnily enough they experience it as a sense of agency, that they are the one unlocking the computer and are in charge of it.

by JSR_FDED

3/30/2026 at 9:47:56 PM

Apple Keychain has a number of old bugs that have caused me to have to resort to this strategy several times. The most common problem is having a secure note that you can open, but then immediately disappears (closes). Copying over an older keychain database can sometimes solve the problem.

by fastaguy88

3/30/2026 at 8:35:03 PM

Is there really no supported model for this scenario? Surely the point of an iCloud backup is that you can restore from the cloud rather than do a local hack to try to regain access to locked keychain db.

What happens if you just set up the device as a new machine and login to your iCloud like normal?

by dpark

3/30/2026 at 8:47:39 PM

there are some different options depending on settings - apple will encrypt to an internally (apple held) key that your iCloud login will unlock under most circumstances. This can be turned off by consumers, and I would expect by IT departments at well.

by vessenes

3/31/2026 at 12:32:09 AM

“Delete iCloud Data” sounds like it’s in the cloud, though. I would hope it’s not “in the cloud but useless”. Maybe I’m wrong though.

by dpark

3/30/2026 at 8:29:14 PM

Good information to have. I was surprised by step 2 though (rm login.keychain-db). How can you be absolutely sure it doesn't contain anything important and you won't need it later?

I'd probably opt for a more defensive action here and just rename it (like the original reset did).

by zapkyeskrill

3/31/2026 at 6:34:34 PM

I left that bit of information out of the post but I actually had a copy of the Keychains directory before I mv-ed login-1.keychain-db to login.keychain-db. Since that confirmed my hunch it probably gave the sense I was confident in moving instead of renaming.

by arkoinad

3/30/2026 at 9:26:42 PM

I'm hoping that was just the blog version of what they did (since more succinct) but yes, I have so many "-CURRENTDATE-EXPLAINATION.ext" files for any flat-file databases I interact with (keychain, sqlite, db4, etc). It's saved me more times than I can count.

Going in to fix a service that uses sqlite and seeing 5 other times I recovered data or was making a change is always fun.

by joshstrange

3/31/2026 at 5:19:20 AM

Is there a way to sync passkeys out of Apple Passwords / Keychain? I dread an iCloud lockout.

by znnajdla

3/31/2026 at 5:43:14 AM

Yes that is something i have been thinking since this incident happened.

by arkoinad

3/31/2026 at 1:49:45 AM

This is one of those articles that either people will stumble upon when they are up a creek without a paddle... or... something 100 ai slop articles will poorly summarize in their "11 ways to recover your icloud data" article.

by m463

3/30/2026 at 10:30:41 PM

> Still, I had assumed there might be some kind of master key that would handle this automatically during a password reset.

This assumption, by a clearly technical person, is a fundamental problem that keeps "the rest of the world" locked in to centralised services where that is true, and where that master key can be used against them by law enforcement, fascist regimes, and surveillance capitalists.

by bigiain

3/31/2026 at 5:27:34 AM

Author of the blogpost here: Firstly didnt expect anyone would read my blog post (Atleast not this soon) let alone someone posting a link on hackernews. Yeah I realized while i was writing that if somehow that (my assumption about master key) did happen then it would be bad press and completely destroy Apples reputation for a privacy first. At the same time for an usecase like mine where i want my work isolated from personal it is weird that without proper way to get the data back they would allow this to happen. I mean if i really didnt remember my password then my keychain data would have been gone without which lot of work related info would have been hard to recover.

by arkoinad