I used to advise people to use the same password as their AppleID to unlock the Mac user account. (To simplify the number of passwords they needed to remember).
But with some MacOS upgrades, the Mac user was required to make/create a different password to their AppleID to enable the Upgrade.
Is that still the case with Catalina?
And I’ve noted that Catalina can use the Mac Password to access the user’s AppleID services.
Is that different from Mojave and earlier systems? (I’ve not yet updated my Macs due to legacy programs not working on Catalina).
I’ve Glenn Fleishman’s book on AppleID and I couldn’t see any reference to it.
Can I recommend users to use the same password for their AppleID to unlock their Mac without any repercussions?
Thanks in advance for your comments.
NO!
You should not recommend using the same password in multiple security domains. In this case, the AppleID access is limited to just iCloud and App Store related functions. In contrast, the local User Login ID provides (usually via Keychain) access to many security domains, including iCloud and all those bank passwords users store in Safari.
Never never use the same password in different places – if many different passwords are required, use a password manager like 1Password to reduce the memorized passwords or passphrase to a small number. Let the computer work for you. See Norbert Weiner’s The Human Use of Human Beings.
While you are correct overall…in some instances better is the enemy of good enough and using the same password in 2 security domains can be acceptable. One must evaluate the level of risk, the level of user computer competency and the likelihood that a user will use a password manager before making a specific recommendation.
My answer to the OP question would be…it depends. Figure out the user…and while better is more than good enough…in many instances good enough is sufficient…particularly if the user can’t or won’t use better.
Of course, better often loses to good. And proper risk assessment is an absolutely necessary first step for security. But…
Computer user login passwords are such a special case of “keys to the kingdom” that there is only “good” and “worse” where “worse” is any re-use of such a password – “iffy” at best and more often “worse.”
A side issue is the constant mutation of iCloud features and services. It is good to keep these separate from local user logins.
We will have to have different opinions then…the threat model is pretty high on the list for me and most people won’t use a password manager. I’m not saying routinely use the same password but this is one I would be ok with depending on the user and threat model.
TTFN:
neil
Perhaps my question wasn’t phrased correctly?
Leaving aside the argument of reusing the same password etc…
What I am wanting to know “is there a problem using one’s AppleID password to Unlock the Mac at the login window?
Problem as in when there is the next MacOS upgrade will Apple again force the user to change the computer log in password (as was the case with, from memory, the High Sierra upgrade) as it can’t be the same as the user’s AppleID password.
And another associated “feature”, once logged into Catalina, the user is able to log into their Manage AppleID webpage by using their computer log-in password (due to a default setting in users and Groups preference).
This is new to Catalina? And why was it made possible?
Does that pose my query more precisely?
Not as far as I know…but I was not forced to change either login or iCloud on any upgrade ever.
neil
The three kinds of stress…nuclear, cooking and a&&hole. Jello is the key to the relationship.
Being “forced to change password” only applied when one was using the same password at the Mac login screen and for one’s AppleID (when doing the upgrade to the OS).
A dialogue message showed on the Mac screen when attempting the upgrade process along the lines of “can’t use AppleID password to unlock the Mac” (just paraphrasing).
@Neil1 we’re you using same password at both spots when doing OS upgrades?
No…my Apple ID password is not any of the passwords on our Macs. I have synchronized the userids and passwords between our laptops and file server because it is simpler and I O my security model makes it an acceptable decision.
Note that at least through Sierra 10.12, it’s possible for anyone who gets root access to find a plain text copy of the logged in user’s password. It may still be possible but I haven’t needed to try it for a long while.
Even if that particular hole has been fixed, if you have a keylogger in your system, it will capture the password when you use it.
You really don’t want a computer login password to be something that’s used for anything else. Not even a modification of it. It’s safer to write down the password and tape it to the screen or put it in your wallet.
@neil1 Thanks for clarifying re your use of passwords … that’s why you were never prompted to change your password. My posting was related to the same password being used in both spots when doing a MacOS upgrade.
@gastropod That’s good info … and I still see passwords written on sticky notes stuck to computer screens particularly with elderly people (60+ years) who get confused with “do I use my AppleID user password or my Computer Password” when confronted with a password dialogue box.
Which was why I was suggesting to those users (having trouble recognising when to use which password) to use the same password to unlock the Mac as what they used to access AppleID etc.
This is what prompted me to ask the original question.
The same password worked just fine in both spots but when they did the Upgrade process, they were forced to change the password to unlock the Mac to be different from their Apple ID password.
And since Catalina when using Safari to manage your AppleID at appleid.apple.com it gives the dialogue (as a slide down sheet) to log in using a different AppleID or an empty field to log in (with the users’ current appleid) using the password that unlocks the computer (not the AppleID password).
Note: I’m going from memory as I don’t have Catalina installed. I’ve just seen this on other user’s computers when I’ve been assisting them (and I may have some aspects wrong).
Why not recommend to your users to have very similar passwords for the two… but with one or two additional characters on their Apple ID password…
Such as
Mac password:
Bingowashisnameo
Apple ID password:
Bingowashisnameo27
(Works well since Apple ID password requires at least one number but mac password has no such requirement)
I hope this doesn’t sound too harsh, but it sounds like you need smarter users. 
In 2020, the ability to deal with multiple passwords (regardless of having password manager or not) is a life skill that everyone should master.
I have not encountered it, but I can understand Apple having checks on whether the Mac password is the same as that user’s AppleID password. As raised in the discussions above, it is not good practice. Having said that, I have gone along with older users having similar passwords so they don’t have to write them down on a sticky note.
On a vaguely similar topic, I had to access a legacy user account on my Mac and had forgotten the password. I logged in with my administrator account and was surprised (actually relieved) that I could reset that user’s password. I thought from earlier versions of OSX that this was not possible. Anyway, it reaffirms the importance of having a very secure password for admin accounts under macOS.
Many people have one or more impairments that preclude developing the “life skill” of dealing with multiple passwords. This often leads to the need for a dedicated helper to work with an individual to tailor a best-fit solution that may well involve something along the lines of using the same password to log in at the prompt and to one’s Apple ID, while doing the best possible to minimize risk.