As far as safeguarding access to your PC or laptop, won’t entering a
username or password in the boot menu protect others from getting into your PC
at all?
By “boot menu” I’m going to assume you mean the menu that may be presented
by your BIOS immediately after it performs its self-test, and before the
operating system is loaded.
In short: with one exception, no.
To be fair, it makes things more difficult – sometimes quite difficult – but
ultimately we have to return to something I’ve been saying for a long time:
If it’s not physically secure, it’s not
secure.
]]>
Your computer’s BIOS is the software that begins running the instant you turn your computer on, often even before your monitor has had a chance to warm up so you can see it. It produces that first text typically on a black screen:
That’s the virtual BIOS sign-on from a Parallel’s Virtual Machine, yours will look quite different, and will appear after you turn your computer on but before Windows starts.
While it’s not commonly used, many BIOS’s allow you to configure a password that’s then required before the BIOS will proceed to actually boot your installed operating system.
That’s actually fairly simply security and will help keep the less technically astute from booting your machine (or reconfiguring the BIOS) when you’re not around.
Here’s how I’d bypass it in order to access all your data:
I’d take the hard drive out of the machine and place it into a different machine as a second drive. Heck, I could even place it into a USB drive enclosure and access it as an external drive on whatever machine I choose.
Yep. It’s that easy.
(As a side note, it’s sometimes possible that a BIOS reset – typically accomplished by accessing a jumper on your motherboard if it can be done at all – may also remove any password, also nullifying any security the password may have afforded.)
And that’s why I say, no, this is not a viable way to secure your computer’s data if someone has physical access to your machine – either incidentally or by having stolen it.
The only way to truly protect the data on a hard drive is through encryption. There are several approaches; the one I happen to use and recommend is TrueCrypt which supports either container based encryption or whole-drive encryption.
So, what about that “one exception” I mentioned above?
It, too, is about encryption.
There are hard drives that can be configured to encrypt the data as its written to the drive. Without the corresponding password (or better, a longer pass phrase) – entered at boot time – the data is inaccessible, no mater where the drive is placed.
Unfortunately, encrypting drives isn’t all that common although I suspect that will change over time.
It’s possible that a BIOS password may be enough for your needs, but it’s important to realize what it is and what it is not. If you’re relying on it to protect the contents of your hard drive if your machine is lost or stolen, then you need to find a different solution.
I use TrueCrypt for containers, but I’ve so wanted to encrypt my entire drive for some time. However, the one drawback I can’t seem to find a way around is how do I enter the password to allow the system to boot if I am rebooting my system remotely? I can’t find a way around that. If anyone has any ideas, I would gladly entertain them.
We use BIOS passwords on our home computers to prevent the kids from using their computers without our permission.
But, as we tell our customers (paraphrasing you), “if it’s not physically secure, it’s not secure”.
I have a BIOS password on my laptop to encourage a non-tech thief to call me for return, with a reward promised. Perhaps he would be encouraged to do so, rather than waste his time trying to get in for use.
Sometimes there is a disk password which typically prevents access unless you have the password (part of the ATA standard IIRC). It does not, however, encrypt the disk. Some info on it can be found at http://en.wikipedia.org/wiki/Advanced_Technology_Attachment#HDD_Passwords_and_Security
Only 768 megs of RAM, Leo? Wow,you are rockin’ it old-school style!
23-Dec-2009
As a side note, you can remove the CMOS battery if you have access to the machine and that will also clear the password
Ted,
I thought the same thing initially, but Leo states immediately after the screenshot that it’s a virtual machine. Typically, on a virtual machine, you don’t allot too much memory or your main system won’t have any to use. I typically use 768 on my VM’s too…unless it’s Windows and then you’ll want to use a little more (IMHO).
@Rob,
On my machine, I have a BIOS boot password. After that is entered successfully I must then enter the HDD access password to access the Hard Drive. If someone was to remove the CMOS battery or use the jumper reset on the motherboard, then at next boot-up, the BIOS will first ask for the Serial Number of the board and for the Boot-Up Invasion password. I also have a small 9-volt battery encased in the power unit which provides power to the BIOS if the CMOS battery is removed.
As a side note, the reason I have such exorbitant protection before even reaching the OS is because the computer contains sensitive company information and these security measures are needed.
If security was important, you shouldn’t have mentioned the 9V battery backup. 9V batteries do not last forever. Why are we still using CMOS memory, when Flash memory last 10 years with no electricity.
I agree on most of the points set up by Leo but I think that does not hold good for the newer ones.
Especially portable machines are encrypted with passwords that are stored in another chip other than the BIOS. CMOS battery removal will not reset them. You will have to contact the manufacturer of the PC / Laptop & prove your identity upon which they will probably give you a master password which will reset it for you. Maybe you will have to send it back to the Company from whom you purchased the machine to get the Bios password reset. And in the process you may have to pay a lot.
Ravi.
23-Dec-2009
1. I can’t use TrueCrypt because it conflicts with my external BlackArmor hard drive.
2. WinRAR has the option of encrypting any file. I use it to encrypt just the most sensitive data.
3. What physical protection is possible for a laptop or PC? My PC has a small half-dome sticking out the back, in which I can put a small lock. But any boltcutter can cut the lock off. Are there special locks for PCs and laptops? Maybe Leo could discuss this some other time, since physical security is a major topic of this article, but not discussed in terms of answers.