Where are Mac user account passwords stored?

The hashes were in /var/db/shadow/hash/ in 10.6 and earlier, but they are stored in /var/db/dslocal/nodes/Default/users/username.plist in 10.7 and 10.8.

You can print the hash data with DaveGrohl (sudo dave -s $USER) or something like this:

sudo defaults read /var/db/dslocal/nodes/Default/users/$USER.plist ShadowHashData | tr -dc '0-9a-f ' | xxd -p -r | plutil -convert xml1 - -o -

If automatic login is enabled, the password of the login keychain is also stored in /etc/kcpassword encrypted with XOR cipher.

sudo ruby -e 'key = [125, 137, 82, 35, 210, 188, 221, 234, 163, 185, 31]; IO.read("/etc/kcpassword").bytes.each_with_index { |b, i| break if key[i % key.size]==(b); print [b ^ key[i % key.size]].pack("U*") }'

I don't know that much about it, but from what I could gather using opensnoop:

login accesses the local directory service (possibly related to some Kerberos stuff -- maybe that's the underlying implementation for the local directory, it reads /Library/Preferences/edu.mit.Kerberos, /etc/krb5.conf, /usr/etc/krb5.conf etc.).

dscl, the directory service command line utility, then cd Local/Default/Users/yourusername, read reveals the usual unixy account-related stuff, plus: GeneratedUID: 1A5EF9B7-4DB6-4C01-919A-xxxxx (don't know the implications, so I censored a little) -- you can also read this UUID via Accounts.prefPane in System Preferences.app.

That matches a filename in /private/var/db/shadow/hash/ also accessed by login!

I guess your best bet is to rename/copy the files with the GeneratedUID name, or change the reference in the directory service.

Included all my "research" to allow you to retrace my steps and allow for refutability.

I don't have the time to trash and restore my user accounts, so you're on your own now. Good luck.

TLDR: Open Accounts.prefPane, check your UUID (right-click your user in the list) and look for a file by that name in /private/var/db/shadow/hash/. Don't know if it works at all. Good luck.