Helping people with computers... one answer at a time.

BIOS and boot menu passwords can help establish a certain level of security, but they're not a reliable way to protect your data.

As far as safeguarding access to your PC or laptop, won't entering a username or password in the boot menu protect others from getting into your PC at all?

By "boot menu" I'm going to assume you mean the menu that may be presented by your BIOS immediately after it performs its self-test, and before the operating system is loaded.

In short: with one exception, no.

To be fair, it makes things more difficult - sometimes quite difficult - but ultimately we have to return to something I've been saying for a long time:

If it's not physically secure, it's not secure.

Your computer's BIOS is the software that begins running the instant you turn your computer on, often even before your monitor has had a chance to warm up so you can see it. It produces that first text typically on a black screen:

Parallels VM BIOS

That's the virtual BIOS sign-on from a Parallel's Virtual Machine, yours will look quite different, and will appear after you turn your computer on but before Windows starts.

"... no, this is not a viable way to secure your computer's data if someone has physical access to your machine ..."

While it's not commonly used, many BIOS's allow you to configure a password that's then required before the BIOS will proceed to actually boot your installed operating system.

That's actually fairly simply security and will help keep the less technically astute from booting your machine (or reconfiguring the BIOS) when you're not around.

Here's how I'd bypass it in order to access all your data:

I'd take the hard drive out of the machine and place it into a different machine as a second drive. Heck, I could even place it into a USB drive enclosure and access it as an external drive on whatever machine I choose.

Yep. It's that easy.

(As a side note, it's sometimes possible that a BIOS reset - typically accomplished by accessing a jumper on your motherboard if it can be done at all - may also remove any password, also nullifying any security the password may have afforded.)

And that's why I say, no, this is not a viable way to secure your computer's data if someone has physical access to your machine - either incidentally or by having stolen it.

The only way to truly protect the data on a hard drive is through encryption. There are several approaches; the one I happen to use and recommend is TrueCrypt which supports either container based encryption or whole-drive encryption.

So, what about that "one exception" I mentioned above?

It, too, is about encryption.

There are hard drives that can be configured to encrypt the data as its written to the drive. Without the corresponding password (or better, a longer pass phrase) - entered at boot time - the data is inaccessible, no mater where the drive is placed.

Unfortunately, encrypting drives isn't all that common although I suspect that will change over time.

It's possible that a BIOS password may be enough for your needs, but it's important to realize what it is and what it is not. If you're relying on it to protect the contents of your hard drive if your machine is lost or stolen, then you need to find a different solution.

Article C3951 - December 17, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

11 Comments
Mike
December 17, 2009 1:10 PM

I use TrueCrypt for containers, but I've so wanted to encrypt my entire drive for some time. However, the one drawback I can't seem to find a way around is how do I enter the password to allow the system to boot if I am rebooting my system remotely? I can't find a way around that. If anyone has any ideas, I would gladly entertain them.

Ken B
December 18, 2009 1:02 PM

We use BIOS passwords on our home computers to prevent the kids from using their computers without our permission.

But, as we tell our customers (paraphrasing you), "if it's not physically secure, it's not secure".

mel caplan
December 22, 2009 8:38 AM

I have a BIOS password on my laptop to encourage a non-tech thief to call me for return, with a reward promised. Perhaps he would be encouraged to do so, rather than waste his time trying to get in for use.

Robert Rosen
December 22, 2009 9:12 AM

Sometimes there is a disk password which typically prevents access unless you have the password (part of the ATA standard IIRC). It does not, however, encrypt the disk. Some info on it can be found at http://en.wikipedia.org/wiki/Advanced_Technology_Attachment#HDD_Passwords_and_Security

Ted
December 22, 2009 9:22 AM

Only 768 megs of RAM, Leo? Wow,you are rockin' it old-school style!

As someone pointed out, this is a virtual machine, on my 8 gigabyte desktop machine. Smile
Leo
23-Dec-2009

Rob
December 22, 2009 9:57 AM

As a side note, you can remove the CMOS battery if you have access to the machine and that will also clear the password

Gabe
December 22, 2009 12:22 PM

Ted,

I thought the same thing initially, but Leo states immediately after the screenshot that it's a virtual machine. Typically, on a virtual machine, you don't allot too much memory or your main system won't have any to use. I typically use 768 on my VM's too...unless it's Windows and then you'll want to use a little more (IMHO).

Pookey
December 22, 2009 3:41 PM

@Rob,

On my machine, I have a BIOS boot password. After that is entered successfully I must then enter the HDD access password to access the Hard Drive. If someone was to remove the CMOS battery or use the jumper reset on the motherboard, then at next boot-up, the BIOS will first ask for the Serial Number of the board and for the Boot-Up Invasion password. I also have a small 9-volt battery encased in the power unit which provides power to the BIOS if the CMOS battery is removed.

As a side note, the reason I have such exorbitant protection before even reaching the OS is because the computer contains sensitive company information and these security measures are needed.

steven
December 22, 2009 4:35 PM


If security was important, you shouldn't have mentioned the 9V battery backup. 9V batteries do not last forever. Why are we still using CMOS memory, when Flash memory last 10 years with no electricity.

Ravi Agrawal
December 22, 2009 9:34 PM

I agree on most of the points set up by Leo but I think that does not hold good for the newer ones.

Especially portable machines are encrypted with passwords that are stored in another chip other than the BIOS. CMOS battery removal will not reset them. You will have to contact the manufacturer of the PC / Laptop & prove your identity upon which they will probably give you a master password which will reset it for you. Maybe you will have to send it back to the Company from whom you purchased the machine to get the Bios password reset. And in the process you may have to pay a lot.

Ravi.

All the while the hard disk could be placed in another machine and its contents accessed.
Leo
23-Dec-2009

Robert
April 22, 2010 9:40 PM

1. I can't use TrueCrypt because it conflicts with my external BlackArmor hard drive.
2. WinRAR has the option of encrypting any file. I use it to encrypt just the most sensitive data.
3. What physical protection is possible for a laptop or PC? My PC has a small half-dome sticking out the back, in which I can put a small lock. But any boltcutter can cut the lock off. Are there special locks for PCs and laptops? Maybe Leo could discuss this some other time, since physical security is a major topic of this article, but not discussed in terms of answers.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.