If a network or mobile account password is changed by an administrator, or if the password expires as part of a directory security policy, the keychain must be updated upon next login. In most cases the OS will prompt the user with the message "The system was unable to unlock your login keychain", followed by these options…
- Continue Log In;
- Create New Keychain;
- Or, Update Keychain Password (default and recommended choice).
Below are the three different scenarios a user will be faced with based on the option chosen.
Continue Log In
Selecting "Continue Log-in" will provide access to desktop files, however network and some third-party applications will present dialog warnings because the keychain is locked. Fortunately, the keychain can still be updated using the following method:
- Open Keychain Access located in Applications > Utilities.
- From the Edit menu, choose: Change Password for Keychain "login"…
- Type the previous password, then click OK.
- If the correct password is entered, a new window appears. Enter the original password again in the Current Password field.
- In the New Password field, type the password that matches the current account password.
- Re-enter the newer password in the Verify field, then click OK.
The new password will still need to be entered for other directory services such as email or server mounts.
Create New Keychain
Selecting "Create New Keychain" will result in the destruction of the original keychain and all associated passwords. Each password will need to be reentered. In most cases, user simply do not know their saved passwords so passwords may need to be reset. If a backup solution is in place, such as CrashPlan, it's possible to restore the previous user-keychain and follow the instructions above (Continue Log In), to recover the lost credentials.
Update Keychain Password
Selecting "Update Keychain Password" and entering the previous password to unlock the keychain, will result in the OS updating the login password accordingly so that services continue to work as expected. Hooray! If email is tied to the same directory credentials, or if server volumes are set to mount at login (single sign-on excluded), the new password must be entered again to gain access.