Helping people with computers... one answer at a time.

Many computers allow you to password protect your BIOS. It's a fine additional layer of security, but it's not absolute.

Does a boot up BIOS password add any real security to my computer? I know that if a system isn't physically secure, it isn't ultimately secure at all. But since it's so easy to overcome the Windows password using a boot disk, I'm wondering if the addition of a boot up BIOS password, which must be entered before the CD drives boot, adds any real security.

In my opinion, it does. It's an additional barrier to entry.

However, we need to make sure we understand just what the limitations, and risks, of using a BIOS password really are.

The BIOS, which stands for Basic Input/Output System, is the software - or 'firmware' since it's stored in non-volatile memory - that's present in every PC. It's the software that starts running the instant you turn on your machine and, among other things, knows how to load your operating system from your hard disk.

It's also the software that, if configured to do so, checks to see if you have a CD inserted from which to boot instead.

As you mention, anyone can typically gain access to your machine if they can insert a boot disk or CD and reboot your machine. In fact, it's the classic way to reset your Windows administrator password - reboot from a utility CD that allows you to do exactly that.

Now, you can configure your BIOS to ignore the CD-ROM, or any other boot device for that matter, and boot only from the hard disk. That means that inserting another disk and rebooting would do nothing - you'd simply boot from the hard disk as always.

"A BIOS password can help keep honest people honest and slow down the rest ..."

The problem is that if someone has physical access to your machine, as they would to insert that disk, then they also have the opportunity to change your BIOS settings. They could, for example, change the boot order back to checking the CD-ROM first.

Hence, the BIOS password.

In most cases, the BIOS password is required to even boot your machine at all. That means that regardless of the disks or devices available to boot from, you must first provide the password or the machine is, in theory, unusable.

I say "in theory" because there's a scenario that must be dealt with that, sadly, can provide a back door bypassing the BIOS password.

What happens when you forget the BIOS password?

"Don't forget it" is one answer, but as it turns out forgetting passwords is frighteningly common. And there's no secure way to do a password recovery on your BIOS password.

On many machines, the BIOS password can be reset by physically accessing a jumper or switch on your computer's motherboard. Once you do so, the password is removed and you can access your machine once again. Presumably, one of the first things you would do is re-set a new BIOS password.

The problem is that the malicious individual who has physical access to insert a CD and physical access to change your BIOS configuration might well have physical access also to hit that jumper on the motherboard and reset the BIOS password - if not just walk away with your hard drive.

Now, all that will vary from machine to machine, depending on how the BIOS password is implemented, whether or not it can even be reset, and the steps that manufacturer has put into place to do so. Laptops may be more difficult than desktops, since the motherboard is typically more difficult to access, but the risk remains the same.

The bottom line really does boil down to exactly what you alluded to:

If it's not physically secure, it's not secure.

A BIOS password can help keep honest people honest and slow down the rest. Just remember that it's not absolute, and it's not a replacement for keeping your machine secure. You still need to ensure that any sensitive data on that machine is also kept appropriately secure.

Article C3549 - October 29, 2008 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

4 Comments
nick
November 5, 2008 7:02 AM

bulletproof method -
winmagic Securedoc - encrypts whole hard drive (not just password protection) - rip out hard drive, it is encrypted, cannot acces files.

Truecrypt (mentioned above) - excellent way to protect files/folders on a drive, within a software-encrypted folder on hard ddrive that is looked at like a hard drive

TrueCrypt also support whole-drive encryption.
- Leo
05-Nov-2008
Mike
November 5, 2008 9:43 AM

Physical security - add a cable lock, and you have blocked all but the most dedicated from either opening the case (to reset the jumper) or taking the machine elsewhere.

Robert
April 22, 2010 9:54 PM

The cable lock can be removed with a boltcutter.

Drew
March 14, 2011 11:22 AM

"The cable lock can be removed with a boltcutter".

Try replacing your wood or carpet floors with a thick sheet of steel and then weld your computer case to the floor. Since the weld could be cut with an angle grinder, I'd recommend bolting your case to the floor from the inside and then welding your case shut to prevent thieves from opening the case to loosen the bolts with a wrench. Automated laser turrets are also effective, but those aren't always affordable in a residential application.

Every layer of protection serves as a deterrent - I suppose the goal is to have enough deterrents in place to discourage a would-be thief from following through. Sure, if your PC is confiscated by Mossad, they'll find a way in, so the BIOS password may not be the end-all solution, but it'll help discourage your run of the mill home burglar when he's trying to pawn it!

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.