Should I password protect my BIOS?

Home » Hardware » Firmware

Summary: Many computers allow you to password protect your BIOS. It's a fine additional layer of security, but it's not absolute.

•

In my opinion, it does. It's an additional barrier to entry.

However, we need to make sure we understand just what the limitations, and risks, of using a BIOS password really are.

•

The BIOS, which stands for Basic Input/Output System, is the software - or 'firmware' since it's stored in non-volatile memory - that's present in every PC. It's the software that starts running the instant you turn on your machine and, among other things, knows how to load your operating system from your hard disk.

It's also the software that, if configured to do so, checks to see if you have a CD inserted from which to boot instead.

As you mention, anyone can typically gain access to your machine if they can insert a boot disk or CD and reboot your machine. In fact, it's the classic way to reset your Windows administrator password - reboot from a utility CD that allows you to do exactly that.

Now, you can configure your BIOS to ignore the CD-ROM, or any other boot device for that matter, and boot only from the hard disk. That means that inserting another disk and rebooting would do nothing - you'd simply boot from the hard disk as always.

The problem is that if someone has physical access to your machine, as they would to insert that disk, then they also have the opportunity to change your BIOS settings. They could, for example, change the boot order back to checking the CD-ROM first.

Hence, the BIOS password.

In most cases, the BIOS password is required to even boot your machine at all. That means that regardless of the disks or devices available to boot from, you must first provide the password or the machine is, in theory, unusable.

I say "in theory" because there's a scenario that must be dealt with that, sadly, can provide a back door bypassing the BIOS password.

What happens when you forget the BIOS password?

"Don't forget it" is one answer, but as it turns out forgetting passwords is frighteningly common. And there's no secure way to do a password recovery on your BIOS password.

On many machines, the BIOS password can be reset by physically accessing a jumper or switch on your computer's motherboard. Once you do so, the password is removed and you can access your machine once again. Presumably, one of the first things you would do is re-set a new BIOS password.

The problem is that the malicious individual who has physical access to insert a CD and physical access to change your BIOS configuration might well have physical access also to hit that jumper on the motherboard and reset the BIOS password - if not just walk away with your hard drive.

Now, all that will vary from machine to machine, depending on how the BIOS password is implemented, whether or not it can even be reset, and the steps that manufacturer has put into place to do so. Laptops may be more difficult than desktops, since the motherboard is typically more difficult to access, but the risk remains the same.

The bottom line really does boil down to exactly what you alluded to:

If it's not physically secure, it's not secure.

A BIOS password can help keep honest people honest and slow down the rest. Just remember that it's not absolute, and it's not a replacement for keeping your machine secure. You still need to ensure that any sensitive data on that machine is also kept appropriately secure.

Related:

• I've lost the password to my Windows Administrator account, how do I get it back? It turns out that resetting an Windows account password is frighteningly easy, as long as you have access to the machine.

• TrueCrypt - Free Open Source Industrial Strength Encryption TrueCrypt provides a solution for encrypting sensitive data - everything from portable, mountable volumes to entire hard disks.

Article C3549 - October 29, 2008