Apple has always prioritized beauty and ease of use over maintaining aspects of the system that most users are not aware of: Security.
Primary vulnerability had been left open in authentication & authorizations in all OS X versions, that highly depend on using shadow files, which can be accessed by users with a high privilege (typically root). On all OS X platforms (Tiger, Leopord, Snow Leapord and Lion) each user has their own shadow file (hash database) whose data is accessible only by the root user.
Apple, unfortunately, overlooked an important aspect.
If we invoke the directory services listing using the /Search/ path, we see a different result:
$ dscl localhost -read /Search/Users/bob
From the output, we can see the following data:
62706c69 73743030 d101025d 53414c54 45442d53 48413531 324f1044 74911f72 3bd2f66a 3255e0af 4b85c639 776d510b 63f0b939 c432ab6e 082286c4 7586f19b 4e2f3aab 74229ae1 24ccb11e 916a7a1c 9b29c64b d6b0fd6c bd22e7b1 f0ba1673 080b1900 00000000 00010100 00000000 00000300 00000000 00000000 00000000 000060
Note: The SHA512 hash is stored from bytes 32-96 (italic) and the salt is stored from bytes 28-31(bold). Hashes are discussed in detail here.
This ShadowHashData attribute actually contains the same hash stored in user bob’s shadow .plist file. What makes it worst is that root privileges are not required. All users on the system, regardless of privilege, have the ability to access the ShadowHashData attribute from any other user’s profile and can be cracked using a simple brute-force dictionary attack python script. But you, perhaps, don’t need need to get into that coz there are easier ways.
You can easily change passwords in Lion, you don’t need to authenticate when changing password for another user. So, cracking password in Lion is as easy as:
$ dscl localhost -passwd /Search/Users/geek
Boom! You can now change User’s password, without having to authenticate as that user.