Patrick Dunstan has spent some time poking around the way OS X Lion stores user passwords, and his findings are disturbing:
This ShadowHashData attribute actually contains the same hash stored in user bob’s shadow .plist file. The interesting thing about this? root privileges are not required. All users on the system, regardless of privilege, have the ability to access the ShadowHashData attribute from any other user’s profile.
[…]
Now, if the password is not found by the dictionary file you’re out of luck, right? Well, no! Why crack hashes when you can just change the password directly! It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user.
Yikes.