Is your System Safe with an Open Firmware Password?

In the PC world, you can set a low level BIOS password to secure your system from prying eyes, thieves from re-installing Windows and anyone from booting from a CD. It works pretty well. Apple attempted to emulate this in OS X with the Open Firmware password and in theory, it sounds great. Should you rest easy, thinking your system is protected? Here’s why you should think again.

What the Open Firmware Password Does:

Once you set an Open Firmware password, you will have to enter this password every time your Mac turns on, before OS X starts up. This is in addition to the regular OS X login password.

A low-level password such as this is to prevent someone who doesn’t know your login password from either changing it or re-installing OS X. Without a password such as this, an OS X install DVD is all you need to reset someone’s password and get into their account.

In the case of your laptop being stolen, it prevents the thief from re-installing OS X and selling the computer. It will also prevent any Lo-Jack style security software such as Undercover by Orbicule from being wiped away.

What Changes Does it Make?

In addition to the most obvious change you’ll face with an Open Firmware password – Having to enter it every time the computer is turned on. The following additional changes will be made:

– Target Disk Mode is disabled.
– You may not boot from a CD/DVD. (Including the OS X DVD)
– You can not enter Diagnostic Mode. (Intel only)
– NetBoot is disabled.
– Booting into Single User mode is disabled.
– Unable to start up using Verbose mode.
– Safe Boot is disabled.
– You can not reset the PRAM.
– Open Firmware Password required to enter Open Firmware prompt. (PPC only)
– To access Startup Manager, the Open Firmware Password is required.

Why is an Open Firmware Password Useless?

The Open Firmware password is absolutely useless because while it’s meant to prevent someone with physical access to your Mac from changing your password or reinstalling; anyone with physical access to your Mac can easily circumvent it with the magic of a phillips screwdriver.

In addition to being easily circumvented, enabling the Open Firmware password blocks important troubleshooting features like Safe Boot, Target Disk Mode, Diagnostic Mode (Intels), Verbose Mode and Booting from the OS X DVD. It’s troublesome enough when your Mac isn’t working right, imagine the pain when you can’t properly figure out what’s wrong with it or have to go through extra steps because of the Open Firmware password.

How Should you Secure your Mac Instead?

So, while an active Open Firmware password blocks a ton of ways that can be used to get around security software, login passwords and the system itself, you can turn it off with two simple actions. I won’t get into specifics but this can be easily found via Google. Instead of using the Open Firmware password, there are other ways to secure your Mac.

Physical Theft:

If someone steals your MacBook Pro, there’s one of three things that will happen, each depending on their computing knowledge. Often the thief will just sell it to someone who will use your account. Sometimes the thief will use it themselves with your user account. Other times they may re-install OS X, removing all traces of your account and then sell it. Which one they choose depends whether you use a login password or not. Since Lo-Jack style security software is removed when you re-install, they recommend you keep a basic, auto-login account to deter a thief from re-installing OS X.

To significantly reduce the chances of physical theft, do the obvious – don’t leave your MacBook unattended in a public area. Would you leave $1200 in cash alone on a table in a cafe, for the world to see? If you need to leave it in your car, lock it away in the trunk. Laptop bags (or any bags) are tempting enough for a thief to break the car window and take it.

Data Theft and/or Snooping:

Data theft can go along with physical theft or it can be separate. To prevent anyone from accessing sensitive materials, I heavily recommend FileVault encryption. I’ve been using it personally for years without issue or complaint. If you’re paranoid about data security, use FileVault and create an encrypted disk image with either TrueCrypt or Disk Utility and put your sensitive data inside.

Next, go to the Secuity Pane in System Preferences and check the checkbox next to “Require password to wake this computer from sleep or screen saver”. Additionally, check the checkbox next to “Use secure virtual memory” and “Disable automatic login”. And of course, when you assign yourself a password – make it secure.

Comments are closed.