I frequently set up new laptops for clients, and as a part of this, I’ll often set up their user account so I can sign in to all of their services for them. That way, when they get a new laptop and log in, they are ready to hit the ground running.

For many of them, I will set an easy to type, and relatively insecure password and ask them to change it, however I’m often surprised by the number of people who don’t bother and are in some cases using the same password years later.

Fortunately there’s a command that can be typed into the Terminal in macOS that will force a user account to reset their password at their next login:

pwpolicy -a adminuser -u newuser -setpolicy "newPasswordRequired=1"

change administer and newuser as needed, e.g.:

pwpolicy -a admin -u kai -setpolicy "newPasswordRequired=1"

This will then prompt for the admin user’s password and when the new user logs in, they will first need to set a new password before they can continue logging in.

Note: in the man page for pwpolicy, at least on macOS 15 Sequoia, it states that -setpolicy is deprecated. In my limited testing it still works, however this is obviously subject to change as per the whims of Apple. There’s another switch -setaccountpolicies however this needs to be given an xml file with policy configuration in it.

I’d like to find out how to prompt the user to set up Touch ID when they first login as well, if anyone knows, my comments are open…