Possible Causes of the Login Issue
FileVault not authorizing the user: When FileVault is enabled, each user must be allowed to unlock the disk. If the non-admin account is not enabled for FileVault (lacks a Secure Token or FileVault authorization), it cannot decrypt the disk at startup (Users not showing at login screen with MacOS FileVault Enabled - Stack Overflow). In practice, this means their login password won’t unlock the Mac at boot, so the system rejects it as “not valid.” The admin account likely is authorized (has a Secure Token), so it can unlock the disk and log in normally (FileVault - Some Users Weren't Added - Apple Community).
Password out of sync with FileVault: If the non-admin’s password was changed at some point (especially via Recovery or an external method), the FileVault encryption might still expect the old password. This can desynchronize the login password from the FileVault key (Filevault Causing Login Problems on an M1… - Apple Community). In such cases, the correct password might be rejected at the FileVault login screen because the Mac is essentially looking for a different password to unlock the disk.
Account locked or disabled: Repeated failed logins can trigger temporary lockouts. macOS may impose a delay or lock after too many wrong attempts (for example, a 5-minute or longer pause after several failures). If the non-admin account was locked due to prior attempts, any password entry could be immediately rejected. Additionally, an admin could have accidentally disabled the account. A disabled account or one with an expired password would fail to log in (though this scenario is less common without deliberate action).
User profile or Keychain issues: Although less likely, a corrupt user account or Keychain might cause login problems. Usually this would allow login but then show errors; however, if the account’s credentials are corrupted, it could fail authentication. Since the symptom here is a straight “password not valid” message, this cause is secondary to FileVault-related issues.
How FileVault Encryption Affects User Login
When FileVault is on, the startup disk is encrypted and must be unlocked before any user session starts. Only users who are FileVault-enabled (those authorized with a Secure Token) can perform this unlock at the login screen (Users not showing at login screen with MacOS FileVault Enabled - Stack Overflow). Here’s what that means:
Authorized vs. unauthorized users: Typically, the first account on the Mac (usually an admin) is FileVault-authorized. Additional users created after enabling FileVault might not automatically be authorized. If a user is not enabled for FileVault, they won’t appear at the pre-boot login screen or their password won’t unlock the disk (FileVault - Some Users Weren't Added - Apple Community) (Users not showing at login screen with MacOS FileVault Enabled - Stack Overflow). In effect, the Mac treats their password as “incorrect” during boot because that user doesn’t have permission to decrypt the drive. This matches your situation: the admin can log in (authorized to unlock FileVault), but the standard user cannot.
Secure Tokens: Under the hood, macOS uses Secure Tokens to manage FileVault access. An account with a Secure Token can unlock the FileVault disk. Admin accounts usually have them by default; standard accounts get them only if an existing Secure-Token user authorizes it (often done during user creation or via System Preferences). A long-ago created account might lack a Secure Token if FileVault was enabled later or if there was a bug during setup (FileVault - Some Users Weren't Added - Apple Community). This would prevent that account from unlocking FileVault at login.
Password changes and FileVault: As noted, if a user’s password was changed outside of the normal process (for example, reset in Recovery or via some directory command), the FileVault record might still be tied to the old password (Filevault Causing Login Problems on an M1… - Apple Community). In such a case, the FileVault pre-boot login might require the old password to unlock the disk, then the new password to log into the account (an obviously confusing situation) (Filevault Causing Login Problems on an M1… - Apple Community). Usually, macOS tries to keep these in sync, but glitches can occur, especially on older macOS versions.
FileVault user list: You can actually check which users are allowed to unlock a FileVault-encrypted disk. macOS will show a message if some users aren’t enabled. In System Preferences > Security & Privacy > FileVault (or System Settings > Privacy & Security > FileVault on newer macOS), you might see a warning icon with text like “Some users are not able to unlock the disk.” This indicates the non-admin account isn’t on the authorized list. You’d then use the Enable Users… function to authorize that account for FileVault access (Protect data on your Mac with FileVault - Apple Support).
Understanding this background: The non-admin’s login is failing not because the password is wrong, but because FileVault isn’t letting that account in. We need to re-authorize or reset things for that user.
Troubleshooting Steps and Solutions
Follow these steps to diagnose and fix the issue:
1. Verify the basics:
Double-check that the password you’re entering for the non-admin account is correct (ensure proper capitalization and no Caps Lock on by mistake). It sounds obvious, but make sure the account name is selected or entered exactly as it should be. Also, if you recently changed this user’s password, try the previous password once – it’s possible the old password might unlock FileVault if the passwords got out of sync. (If that works, use the old password at the first login screen, then enter the new password if prompted a second time (Filevault Causing Login Problems on an M1… - Apple Community). You would later want to reset the password properly to merge these, as described below.)
2. Log in with the admin account first (if possible):
As a test, restart the Mac and log in using the admin account (since that one works). This will unlock the FileVault disk. Once the admin is logged in, log out or use Fast User Switching to switch to the non-admin account. If the non-admin user can log in after the disk is unlocked, that confirms the issue is with FileVault’s pre-boot unlocking. (In other words, the account itself and password are fine for a normal login, it’s just not being allowed to unlock the encrypted disk on its own.)
3. Reset the non-admin account’s password:
Even if you’re confident the password is correct, resetting it can re-establish credentials and ensure you know the current password. Use the admin account to do this:
Log in as the admin, and open System Preferences > Users & Groups (or System Settings > Users & Groups on macOS 13+).
Select the affected standard user account in the sidebar. Click the “Reset Password” (or Change Password) button for that user.
Choose a new password (or you can even re-enter the same password again). If prompted about the user’s login keychain being inaccessible, you can choose to create a new keychain (since the user couldn’t log in anyway, their old keychain is likely not in use).
After resetting the password, restart and test login with the non-admin account. In some cases, a password reset by an admin will also trigger macOS to update that user’s FileVault credentials (especially if done while the disk is unlocked by an authorized user). This step also unlocks the account in case it was temporarily locked due to previous failures.
4. Enable the user in FileVault settings:
The most important fix (given FileVault is enabled) is to make sure the non-admin account is authorized to unlock the disk:
While logged in as an admin, go to System Preferences > Security & Privacy > FileVault (on macOS Catalina/10.15 or similar) – or System Settings > Privacy & Security > FileVault on newer macOS. Click the padlock and authenticate to make changes.
Look for a message that says “Some users are not able to unlock the disk.” If you see an Enable Users… button, click it (Protect data on your Mac with FileVault - Apple Support). You should get a list of accounts that are not yet enabled for FileVault.
Select the problematic non-admin user from the list, then enter that user’s login password when prompted (this authorizes FileVault to use their password for disk unlocking) (Protect data on your Mac with FileVault - Apple Support) (Users not showing at login screen with MacOS FileVault Enabled - Stack Overflow). After a moment, the user should be enabled (you might see a green checkmark or no more warning next to their name).
Click Done and exit System Preferences.
This process effectively grants the non-admin account the ability to unlock the disk at startup. According to Apple, any users added after FileVault was turned on must be enabled in this way before they can unlock the disk (Protect data on your Mac with FileVault - Apple Support). Once done, restart the Mac and try logging in with the non-admin account first. The account should now appear at the FileVault login screen and its password should be accepted to unlock the Mac ( Article - Adding New users to a MAC w... ).
Note: If FileVault was enabled long ago and the account was originally working, you might not see the “Enable Users” prompt (if the OS thought it was enabled already). If no such button or message appears, it could mean the OS believes the user is already authorized. In that case, proceed to the next step for a Terminal method to re-force this authorization.
5. Use Terminal to add the user to FileVault (if needed):
If the GUI method isn’t available or doesn’t work, you can use the Terminal with admin privileges to manage FileVault users:
Log in as an admin and open Terminal (from Applications > Utilities).
To check who is currently authorized for FileVault, run:
sudo fdesetup list
Enter your admin password when prompted. The output will list users (by username or UUID) who can unlock the disk. See if the non-admin account is listed. If it’s missing, that confirms it’s not authorized.
To add the non-admin user to FileVault, run:
sudo fdesetup add -usertoadd <username>
Replace
<username>with the short username of the account. Important: This command will first ask for an existing FileVault-enabled user’s credentials (use your admin account’s login and password), then it will ask for the password of the user you are adding (the non-admin’s password). Provide them when prompted. If all goes well, it should say the user was added. (This is effectively what the Enable Users button does behind the scenes.)If the user was actually listed but their login still doesn’t work, you can re-sync by removing and re-adding them: run
sudo fdesetup remove -user <username>followed by thefdesetup add -usertoadd <username>command again (macos - Can't login to iMac even with correct password first time, works with the same password after another user logs in and logs out - Ask Different). This forces a refresh of their FileVault credentials.After using
fdesetup add, reboot and test the non-admin login at startup.
Terminal example: One user reported that removing and re-adding their account via fdesetup resolved a similar issue where the password was correct but FileVault wouldn’t accept it (macos - Can't login to iMac even with correct password first time, works with the same password after another user logs in and logs out - Ask Different). Use this method with care (ensure you enter commands correctly).
6. Check for account lockout or disable status:
If after all the above the login still fails, consider that the account might be in a weird locked state. You’ve reset the password already, which usually unlocks it. But to be thorough: log in as admin and go back to Users & Groups. Ensure the account is not marked as disabled (e.g., no message like “Account is disabled” – typically there isn’t, unless manually done). You can also open Terminal and run:
sudo pwpolicy -u <username> -getaccountpolicies
and
sudo pwpolicy -u <username> -unlockaccount
These commands (for advanced users) show and clear any account lockout policy. If the account was locked due to too many attempts, the second command should unlock it. In most cases, though, resetting the password (step 3) has already accomplished this.
7. Use FileVault recovery options if necessary:
If you absolutely cannot log in with the non-admin account and need access, remember you have the FileVault recovery key (if you saved it) or possibly the ability to use your Apple ID (if you set that up for FileVault). You can use these to get in or reset the password:
At the FileVault login screen, after a few failed tries, you might see an option to enter the Recovery Key or a message like “Reset it using your recovery key.” Use the 24-character recovery key you hopefully saved when enabling FileVault. This will unlock the disk. You can then reset the password for the account. On older macOS, entering the recovery key eventually leads you to a password reset utility where you choose the user account and assign a new password (Reset a macOS User Password - Kandji Support).
Alternatively, boot into macOS Recovery (restart and hold Command+R). From the Utilities menu, choose Terminal and type
resetpassword. This opens a GUI tool to reset passwords. You will need to provide the Recovery Key to unlock the disk before it lets you change the password for the user. Go through the prompts to reset the non-admin’s password. After that, restart and try logging in again.
8. Consider disabling and re-enabling FileVault (last resort):
If the non-admin account still cannot log in despite resetting the password and enabling it for FileVault, you might have to decrypt and re-encrypt the drive to resolve any underlying FileVault issues. This is a bit time-consuming:
From the admin account, go to FileVault settings and Turn Off FileVault (you’ll need the admin credentials). The Mac will begin decrypting the drive – this can take a while (hours) depending on disk size. You can use the Mac during this time, but full decryption must complete before re-enabling.
Once FileVault is off, verify that the non-admin user can log in normally on an unencrypted system. If so, then turn FileVault back on. During re-enabling, make sure to add both the admin and the non-admin user when prompted to enable users for FileVault. macOS should ask you for each user’s password to authorize them. This fresh enablement can realign the encryption keys with the user passwords (Filevault Causing Login Problems on an M1… - Apple Community) (Filevault Causing Login Problems on an M1… - Apple Community). After encryption, test the non-admin login at startup again.
Warning: Only do this if you have a full backup of your data. Decrypting and re-encrypting should be safe, but if something goes wrong, you want your data backed up. (One user noted that turning FileVault off then on helped re-associate user passwords with FileVault (Filevault Causing Login Problems on an M1… - Apple Community).)
9. Additional check – Secure Token status (optional advanced step):
Since this issue often relates to Secure Tokens, you can verify that both accounts have them:
Log in as admin and open Terminal. Run:
sudo sysadminctl -secureTokenStatus <username>
for both the admin and the non-admin username. It will tell you if Secure Token is enabled for each. If the admin has it and the standard user shows “Secure Token is DISABLED”, that’s a clue. Normally, the steps above (enabling via FileVault prefs or
fdesetup) should give the user a Secure Token. If not, one method is: temporarily promote the standard user to admin, then from a Secure-Token admin account, change the now-admin (previously standard) user’s password. Changing an admin’s password while logged in as a Secure Token admin will usually grant a Secure Token to that user (FileVault - Some Users Weren't Added - Apple Community). After that, you could demote them back to standard if desired. This process is complex, so only attempt if comfortable and if prior steps failed.
10. Test and confirm resolution:
After any fix (password reset, enabling FileVault access, etc.), always restart and attempt to log in with the non-admin account before logging in with the admin. The true test is whether that account can perform the initial unlock. If it succeeds, you’ll log in normally. If it fails, review any errors. For instance, if the password is now accepted but you get a different error or a progress bar that stalls, note that – but generally, the above steps should resolve a simple “password not accepted” scenario.
Summary of the Solution Path
In most cases, the crux of the problem is that the non-admin user was not (or no longer) authorized to unlock the FileVault-encrypted disk. The primary solution is to enable that user for FileVault access. You can do this through System Preferences by clicking “Enable Users…” in the FileVault section and entering the user’s password (Users not showing at login screen with MacOS FileVault Enabled - Stack Overflow). Once enabled, the user gains the ability to decrypt the disk at login, and the issue is resolved — the account will appear at startup and accept the password going forward ( Article - Adding New users to a MAC w... ).
Before and alongside that, resetting the user’s password and ensuring the account isn’t locked out will eliminate other potential causes (like a simple forgotten password or a temporary lock). Always keep your FileVault recovery key handy, as it can save you if no accounts can log in.
By following the steps above, you should be able to restore login access for the non-admin account while keeping FileVault enabled. The key is re-syncing the user’s credentials with the FileVault encryption. After fixing, both the admin and non-admin accounts will be able to log in normally on a reboot (and both will be protecting your data via FileVault). Good luck, and be sure to backup your data before making major changes like decrypting the drive, just as a safety precaution.