Do you use a BIOS password ?

Discussion in 'privacy technology' started by quietman, Aug 23, 2015.

  1. quietman

    quietman Registered Member

    Dec 27, 2014
    Earth .... occasionally
    A friend recently gave me a bricked laptop with vital work files on it.
    It wouldn't boot into Windows ( not even to Safe Mode ) , in fact it only showed the manufacturers screen for two seconds then powered off.

    I got it to boot into BIOS , changed the boot order , and then booted Ubuntu off a USB stick ( but it took over 10 minutes to boot ! ) .
    After that it was very easy , but painfully slow to copy all the files to an external HD .... clearly a very sick HD.

    And yes , I gave the talk about how vital it is to do regular back-ups !

    It never really occurred to me before what a huge security hole this represents to anyone with physical access to the device !

    It made me curious about what proportion of people set a BIOS password .....
    ....... I suppose I could have made this topic a poll ...... but I've never started one before :)
  2. Ya5h Kh4n

    Ya5h Kh4n Registered Member

    Apr 4, 2011
    I have the same prob with one of my laptop. I cannot boot into BIOS hangs on the manufacturer screen.

    Any idea?
  3. Solarlynx

    Solarlynx Registered Member

    Jun 25, 2011
    Isn't BIOS password for MB? As I understand it if someone takes your HD and reads it with other PC the BIOS password is of no avail. Am I right?
  4. J_L

    J_L Registered Member

    Nov 6, 2009
    It's a pain ~ Snipped as per TOS ~ to remove if you forget it.
    Last edited by a moderator: Aug 23, 2015
  5. mirimir

    mirimir Registered Member

    Oct 1, 2011
    Yes, setting a BIOS password protects the machine, but not the data on disk.

    Hardware FDE can use the BIOS password, but that's less secure than relying on a Trusted Platform Module (TPM).

    If it's your data that you want to protect, TPM-authenticated hardware FDE is most secure. But it's vulnerable to hardware keyloggers (hidden in the keyboard, maybe). Next best is software FDE, but that's also vulnerable to software keyloggers hidden in the boot partition.
  6. driekus

    driekus Registered Member

    Nov 30, 2014
    The intel ssd drives use the user/master hdd password from my understanding, is this is separate to the general bios password?

    The beauty if the hardware FDE is that it has zero performance impact so you can easily combine it with other more secure encryption techniques. Mind you if you are protecting against low level threats it is probably ok.
  7. mirimir

    mirimir Registered Member

    Oct 1, 2011
    I'm no expert for hardware FDE. It's my impression that you're either relying on BIOS or TPM as part of authentication.
  8. deBoetie

    deBoetie Registered Member

    Aug 7, 2013
    There are a number of different types of BIOS passwords, so it's important to be clear which one you're talking about. There's one which asks on boot (which I think is what you're referring to), and the one which protects changes to bios settings.

    The password protection of boot seems pretty useless to me - the "correct" way is (ideally) TPM+FDE, or FDE plus strong password. This then protects your disk data (subject to caveats) - and as you've noted, backup of the data and headers/keys is fairly important because you will NOT recover it with the good old Linux boot disk.

    I have taken to applying admin passwords to (help) prevent BIOS changes in relation to attack modes I've read about with UEFI.

    I've never noticed a significant performance degradation with putting on FDE (the figures I've seen are around 5-10%) which would equate with my feelings about it; so I'm not particularly fussed about using hardware encryption on the ssd - an ssd is pretty good in the first place, and AES-NI on the cpu helps with Bitlocker (and was one of the "reasons" for the removal of the Elephant diffuser).
  9. amarildojr

    amarildojr Registered Member

    Aug 8, 2013
    BIOS passwords are a good security measure, depending on one thing: your value to an attacker.

    If you're not that valuable of a target than nobody will try to change your laptop password, because it requires taking the MOBO BIOS Chip apart, most of the times. If you use a Desktop than it's much easier to tamper your BIOS because the machine sits in one place when you're not near it, and it's very easy to just use the CLR_CMOS switch.
  10. HAN

    HAN Registered Member

    Feb 24, 2005
    I use both a BIOS password and a hard drive password on my Win 7 (non UEFI) laptop at home. They are NOT perfectly safe choices (nothing is) but if it ever gets stolen, the average thief will find it's not going to be easy to copy/steal stuff from the drive. I debated whether to do this or encrypt the whole thing. Since encryption isn't perfect either, I went this direction... YMMV.
  11. luciddream

    luciddream Registered Member

    Mar 22, 2007
    Am I misunderstanding here, as it sounds as if you're unable to utilize all of the above:

    BIOS PW's (both boot & setup versions)
    HD PW

    Will one interfere with another? Render another moot? Or are you just saying you think it's redundant/unecessary to use them all?

    And how about adding in a SSD or mSATA SSD with built in encryption, and enabling the HD PW for that? Would that interfere with any of the above, render it moot or be redundant? Layers are fine but those things, not so much.

    Also, is it redundant, or even harmful to enable TPM in both the BIOS and in the (in my case) Win7 settings + service? If you already have it hardware based is there any point in enabling it on the OS? Or will it strengthen it?