Helping people with computers... one answer at a time.
BIOS and boot menu passwords can help establish a certain level of security, but they're not a reliable way to protect your data.
As far as safeguarding access to your PC or laptop, won't entering a username or password in the boot menu protect others from getting into your PC at all?
•
By "boot menu" I'm going to assume you mean the menu that may be presented by your BIOS immediately after it performs its self-test, and before the operating system is loaded.
In short: with one exception, no.
To be fair, it makes things more difficult - sometimes quite difficult - but ultimately we have to return to something I've been saying for a long time:
If it's not physically secure, it's not secure.
•
Your computer's BIOS is the software that begins running the instant you turn your computer on, often even before your monitor has had a chance to warm up so you can see it. It produces that first text typically on a black screen:
That's the virtual BIOS sign-on from a Parallel's Virtual Machine, yours will look quite different, and will appear after you turn your computer on but before Windows starts.
While it's not commonly used, many BIOS's allow you to configure a password that's then required before the BIOS will proceed to actually boot your installed operating system.
That's actually fairly simply security and will help keep the less technically astute from booting your machine (or reconfiguring the BIOS) when you're not around.
Here's how I'd bypass it in order to access all your data:
I'd take the hard drive out of the machine and place it into a different machine as a second drive. Heck, I could even place it into a USB drive enclosure and access it as an external drive on whatever machine I choose.
Yep. It's that easy.
(As a side note, it's sometimes possible that a BIOS reset - typically accomplished by accessing a jumper on your motherboard if it can be done at all - may also remove any password, also nullifying any security the password may have afforded.)
And that's why I say, no, this is not a viable way to secure your computer's data if someone has physical access to your machine - either incidentally or by having stolen it.
The only way to truly protect the data on a hard drive is through encryption. There are several approaches; the one I happen to use and recommend is TrueCrypt which supports either container based encryption or whole-drive encryption.
So, what about that "one exception" I mentioned above?
It, too, is about encryption.
There are hard drives that can be configured to encrypt the data as its written to the drive. Without the corresponding password (or better, a longer pass phrase) - entered at boot time - the data is inaccessible, no mater where the drive is placed.
Unfortunately, encrypting drives isn't all that common although I suspect that will change over time.
It's possible that a BIOS password may be enough for your needs, but it's important to realize what it is and what it is not. If you're relying on it to protect the contents of your hard drive if your machine is lost or stolen, then you need to find a different solution.
Article C3951 - December 17, 2009
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
Ted,
I thought the same thing initially, but Leo states immediately after the screenshot that it's a virtual machine. Typically, on a virtual machine, you don't allot too much memory or your main system won't have any to use. I typically use 768 on my VM's too...unless it's Windows and then you'll want to use a little more (IMHO).
Posted by: Gabe at December 22, 2009 12:22 PM@Rob,
On my machine, I have a BIOS boot password. After that is entered successfully I must then enter the HDD access password to access the Hard Drive. If someone was to remove the CMOS battery or use the jumper reset on the motherboard, then at next boot-up, the BIOS will first ask for the Serial Number of the board and for the Boot-Up Invasion password. I also have a small 9-volt battery encased in the power unit which provides power to the BIOS if the CMOS battery is removed.
As a side note, the reason I have such exorbitant protection before even reaching the OS is because the computer contains sensitive company information and these security measures are needed.
Posted by: Pookey at December 22, 2009 3:41 PM
Posted by: steven at December 22, 2009 4:35 PMIf security was important, you shouldn't have mentioned the 9V battery backup. 9V batteries do not last forever. Why are we still using CMOS memory, when Flash memory last 10 years with no electricity.
I agree on most of the points set up by Leo but I think that does not hold good for the newer ones.
Especially portable machines are encrypted with passwords that are stored in another chip other than the BIOS. CMOS battery removal will not reset them. You will have to contact the manufacturer of the PC / Laptop & prove your identity upon which they will probably give you a master password which will reset it for you. Maybe you will have to send it back to the Company from whom you purchased the machine to get the Bios password reset. And in the process you may have to pay a lot.
Ravi.
23-Dec-2009
Posted by: Ravi Agrawal at December 22, 2009 9:34 PM
1. I can't use TrueCrypt because it conflicts with my external BlackArmor hard drive.
Posted by: Robert at April 22, 2010 9:40 PM2. WinRAR has the option of encrypting any file. I use it to encrypt just the most sensitive data.
3. What physical protection is possible for a laptop or PC? My PC has a small half-dome sticking out the back, in which I can put a small lock. But any boltcutter can cut the lock off. Are there special locks for PCs and laptops? Maybe Leo could discuss this some other time, since physical security is a major topic of this article, but not discussed in terms of answers.