Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Should I password protect my BIOS?

Question:

Does a boot up BIOS password add any real security to my computer? I
know that if a system isn’t physically secure, it isn’t ultimately
secure at all. But since it’s so easy to overcome the Windows password
using a boot disk, I’m wondering if the addition of a boot up BIOS
password, which must be entered before the CD drives boot, adds any
real security.

In my opinion, it does. It’s an additional barrier to entry.

However, we need to make sure we understand just what the
limitations, and risks, of using a BIOS password really are.

]]>

The BIOS, which stands for Basic Input/Output System, is the software – or ‘firmware’ since it’s stored in non-volatile memory – that’s present in every PC. It’s the software that starts running the instant you turn on your machine and, among other things, knows how to load your operating system from your hard disk.

It’s also the software that, if configured to do so, checks to see if you have a CD inserted from which to boot instead.

As you mention, anyone can typically gain access to your machine if they can insert a boot disk or CD and reboot your machine. In fact, it’s the classic way to reset your Windows administrator password – reboot from a utility CD that allows you to do exactly that.

Now, you can configure your BIOS to ignore the CD-ROM, or any other boot device for that matter, and boot only from the hard disk. That means that inserting another disk and rebooting would do nothing – you’d simply boot from the hard disk as always.

“A BIOS password can help keep honest people honest and slow down the rest …”

The problem is that if someone has physical access to your machine, as they would to insert that disk, then they also have the opportunity to change your BIOS settings. They could, for example, change the boot order back to checking the CD-ROM first.

Hence, the BIOS password.

In most cases, the BIOS password is required to even boot your machine at all. That means that regardless of the disks or devices available to boot from, you must first provide the password or the machine is, in theory, unusable.

I say “in theory” because there’s a scenario that must be dealt with that, sadly, can provide a back door bypassing the BIOS password.

What happens when you forget the BIOS password?

“Don’t forget it” is one answer, but as it turns out forgetting passwords is frighteningly common. And there’s no secure way to do a password recovery on your BIOS password.

On many machines, the BIOS password can be reset by physically accessing a jumper or switch on your computer’s motherboard. Once you do so, the password is removed and you can access your machine once again. Presumably, one of the first things you would do is re-set a new BIOS password.

The problem is that the malicious individual who has physical access to insert a CD and physical access to change your BIOS configuration might well have physical access also to hit that jumper on the motherboard and reset the BIOS password – if not just walk away with your hard drive.

Now, all that will vary from machine to machine, depending on how the BIOS password is implemented, whether or not it can even be reset, and the steps that manufacturer has put into place to do so. Laptops may be more difficult than desktops, since the motherboard is typically more difficult to access, but the risk remains the same.

The bottom line really does boil down to exactly what you alluded to:

If it’s not physically secure, it’s not secure.

A BIOS password can help keep honest people honest and slow down the rest. Just remember that it’s not absolute, and it’s not a replacement for keeping your machine secure. You still need to ensure that any sensitive data on that machine is also kept appropriately secure.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

4 comments on “Should I password protect my BIOS?”

  1. bulletproof method –
    winmagic Securedoc – encrypts whole hard drive (not just password protection) – rip out hard drive, it is encrypted, cannot acces files.

    Truecrypt (mentioned above) – excellent way to protect files/folders on a drive, within a software-encrypted folder on hard ddrive that is looked at like a hard drive

    TrueCrypt also support whole-drive encryption.

    – Leo
    05-Nov-2008
    Reply
  2. Physical security – add a cable lock, and you have blocked all but the most dedicated from either opening the case (to reset the jumper) or taking the machine elsewhere.

    Reply
  3. “The cable lock can be removed with a boltcutter”.

    Try replacing your wood or carpet floors with a thick sheet of steel and then weld your computer case to the floor. Since the weld could be cut with an angle grinder, I’d recommend bolting your case to the floor from the inside and then welding your case shut to prevent thieves from opening the case to loosen the bolts with a wrench. Automated laser turrets are also effective, but those aren’t always affordable in a residential application.

    Every layer of protection serves as a deterrent – I suppose the goal is to have enough deterrents in place to discourage a would-be thief from following through. Sure, if your PC is confiscated by Mossad, they’ll find a way in, so the BIOS password may not be the end-all solution, but it’ll help discourage your run of the mill home burglar when he’s trying to pawn it!

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.