There is a lot of documentation from Apple on how all of this works, but this is indeed expected behaviour. A way to make this smoother would have been:

  1. Doing the password reset
  2. Reboot straight back into recovery
  3. Update your new password back into your old password
  4. Boot into macOS, your default keychain will unlock but you'll still have to re-authenticate to iCloud since your machine-user identity combo will no longer match with what iCloud expects. (not sure if this is part of Octagon Trust, but there are various interesting layers to this)

There are a number of much more in-depth technical guides and specs, but just listing out random articles (or the Black Hat talk(s)) would probably rob someone of a nice excursion into platform security.

Forgetting what the password is because you always just use the fingerprint reader…that’s why for elderly family members I nowadays set it up not to use the fingerprint any more. I thought they’d be annoyed but funnily enough they experience it as a sense of agency, that they are the one unlocking the computer and are in charge of it.

Based on this description, it sounds like someone walking past your unattended desk and bent on disrupting your day but not stealing your data, could enter in a garbage password into the lock screen a few times and lock you out of your own laptop.

I guess the same also works for cloud accounts as well. I remember, back in the mid-2000s, trying to log into my hotmail account (never having failed to log in before) and getting a "locked out due to too many bad passwords". So someone, only knowing my user account name (which was the same as my email address), locked me out of my own account. The problem was, I couldn't remember what my recovery accounts were (I eventually figured it out).

It Just Works™... until you don't want to take the default option. I'm sure your average user would just be SoL if going through this same experience.

You can also just open the old keychain using the old password.

Apple Keychain has a number of old bugs that have caused me to have to resort to this strategy several times. The most common problem is having a secure note that you can open, but then immediately disappears (closes). Copying over an older keychain database can sometimes solve the problem.

Is there really no supported model for this scenario? Surely the point of an iCloud backup is that you can restore from the cloud rather than do a local hack to try to regain access to locked keychain db.

What happens if you just set up the device as a new machine and login to your iCloud like normal?

Good information to have. I was surprised by step 2 though (rm login.keychain-db). How can you be absolutely sure it doesn't contain anything important and you won't need it later?

I'd probably opt for a more defensive action here and just rename it (like the original reset did).

> Still, I had assumed there might be some kind of master key that would handle this automatically during a password reset.

This assumption, by a clearly technical person, is a fundamental problem that keeps "the rest of the world" locked in to centralised services where that is true, and where that master key can be used against them by law enforcement, fascist regimes, and surveillance capitalists.