Despite Apple touting Macs as the most secure computers available, most of the major security options are disabled by default. FileVault 2,
for example, is the best way to encrypt your documents and anything
else on your hard drive, but you have to spend a few minutes setting it
up.
The same goes for keeping your Mac safe from local hackers on public WiFi
using a VPN or proxy—you have to subscribe to these services and
manually set everything up, not just assume it’s ready for you.
If
you’re getting more involved in OS X’s security, you may also be
interested in the firmware password, a hardware-level security protocol
that will stop people from resetting your password or even reinstalling
OS X without first authenticating themselves.
In this tutorial,
I’ll explain why the firmware password is a valuable security measure
and how to configure it on your computer.
How the Firmware Password Works
Apple's quick explanation of Mac's onboard firmware password ability.
Apple began implementing Open Firmware Password Protection in
OS X 10.1 with the Open Firmware 4.1.7 update. It was available on
select models in early development, but eventually made its way to all
Macs.
The current lineup features full support for the configuration of a firmware password, but is known as an EFI (Extensible Firmware Interface) password due to Macs now being Intel-based. OS X's Recovery Mode Utilities menu.
You can think of a firmware password as one more layer between you
and a local (able to access the machine with his hands rather than
remotely) hacker.
If you read my tutorial on resetting OS X user passwords, you’ll know that if FileVault 2
is enabled, your password can be reset in a matter of minutes and an
intruder will gain access to all the information on your computer if
he’s using an administrator account. If this individual has a lot of
time with the machine, he may even be able to break through FileVault.
A
firmware password prevents any of this by adding a hardware-level layer
of security and restricting access to different boot options, whether
it be single-user, off an external or optical disk, or Recovery Mode.
When combined with FileVault 2, the firmware password makes
the Mac monumentally secure. For someone to steal your information,
they’d have to remove the hard drive and decrypt it. This also means
that losing this password can be disastrous.
Only Apple can reset
firmware passwords on newer Macs thanks to the number of logic board
integration components, like RAM and batteries. So, before you proceed,
make sure you write the password down on a physical notepad just in
case.
Enabling the Firmware Password
Setting the firmware password.
Before you begin, remember that if your computer doesn’t have removable RAM, only Apple will be able to reset this password if you lose it. With this in mind, here’s how to get started.
Boot into Recovery Mode by restarting the Mac and holding Command-R for about five seconds before it turns back on.
When prompted, select the language and click the right arrow.
Click the Utilities menu at the top of the screen and select Firmware Password Utility.
Click Turn On Firmware Password to set up a firmware-level password on your computer.
Enter the password you wish to use in the New Password field and confirm it in the Verify field, then click Set Password to apply it to the firmware. Remember to use something different than any of your user passwords. I recommend generating a password of at least ten characters for better security.
The Firmware Password Utility will inform you that the password will be applied upon a restart. Click Quit Firmware Password Utility, select the Apple menu in the top left of the screen, and click Restart to finish the process.
Using the Firmware Password
Entering the firmware password for alternative boot methods.
Upon exiting Recovery Mode via a system restart, you won’t
notice anything different. The Mac will boot up normally, unless you
decided to hold a modifier key and boot using an alternate method.
Should
you decide to boot back into Recovery or single-user mode, you will be
shown a simple lock icon and asked for the machine’s firmware password,
as shown in the screenshot above.
Enter the firmware password into the field, followed by pressing Enter or clicking the arrow icon
to the right. The screen might appear to be frozen for a moment, but
the computer will eventually make its way to the alternate boot mode
provided you entered the correct password.
If you didn’t, the
password field will become blank once again. You can enter the password
as many times as you’d like, but there is no hint or way to reset it on
this screen.
Changing or Disabling the Firmware Password
Back in the Firmware Password Utility to change or disable the password.
If you’re selling the Mac or giving it to a friend, you may need to
change or disable your firmware password. The process is nearly the same
as setting it up.
Once again, boot into Recovery Mode by restarting the computer and holding Command-R for about five seconds before it turns back on. You’ll be asked to enter the firmware password. Do so and press enter or click the arrow to the right of the password field.
When prompted, select the language and click the right arrow.
Click the Utilities menu at the top of the screen and select Firmware Password Utility.
To change the firmware password, click the Change Password button, enter the current password in the Old Password field, and the desired one in the New Password and Verify fields. Click Change Password when finished.
To disable the firmware password, click the Turn Off Firmware Password button. Enter the current firmware password and confirm that you would like to disable firmware-level security by clicking the Turn Off Password button.
Finally, select the Apple menu in the top left of the screen and click Restart. Both changes will be applied once the Mac has been restarted.
A More Secure Future
You should now know how to set a firmware password on your Mac and
protect yourself from basic password resets and even advanced
command-based hacking methods.
Additionally, you know how to change and disable the password if you ever need to. If you haven’t already, consider enabling FileVault 2 and even configuring a VPN for the coffee shop days so people can’t touch your sensitive information.
No comments:
Post a Comment