DEV Community

Cover image for How to password protect your computer your BIOS or UEFI
Kodlogs
Kodlogs

Posted on • Originally published at kodblems.com

How to password protect your computer your BIOS or UEFI

A password on Windows, Linux or Mac only prevents people from accessing your operating system. It doesn't prevent people from booting into other operating systems, wiping the drive, or using a Live CD to access their files. Your computer's BIOS or UEFI firmware provides the ability to set lower-level passwords. These passwords allow you to restrict people from booting your computer, booting from removable media, and changing BIOS or UEFI without your permission.

Most people shouldn't have to adjust BIOS or UEFI passwords. If you want to protect your sensitive files, encrypting your hard drive is a better solution. Passwords for BIOS and UEFI are particularly ideal for public computers or workplaces. They allow you to restrict people from booting the alternative operating system through removable devices and prevent people from installing another operating system on top of the current operating system on the computer.

Warning: Be sure to remember any passwords you have set. You can reset the BIOS password on an openable desktop PC fairly easily, but this process can be much more difficult on an openable laptop.

Operation
Let's say you've followed good security practices and have a password on your Windows user account. When your computer starts up, someone will have to enter your Windows user account password to use or access your files. Well, the truth is that NOT necessarily.

The person could insert a removable device such as a USB drive, CD or DVD with an operating system. They could boot the computer from the device and access a live Linux desktop - if your files are encrypted, they could access your files. A Windows user account password does not protect your files. They could also boot from a Windows installation disk and install a new copy of Windows over the current copy of Windows on the computer.

You can change the boot order to force the computer to always boot from its internal hard drive, but anyone could still go into the BIOS and change the boot order to boot from a removable device.

A password like firmware for BIOS or UEFI provides some protection against this. Depending on how the password is set, people will need the password to start the computer or just to change the BIOS settings.

Of course, if someone has physical access to your computer, all is lost, as anyone could pry it open and remove the hard drive or insert a different hard drive. They could use your physical access to reset the BIOS password - we'll show you how to do that later. However, a BIOS password still provides additional protection, especially in situations where people have access to a keyboard and USB, but in case the computer crashes, it cannot be accessed.

How to set a password for your BIOS or UEFI
These passwords are set in the BIOS or UEFI through the setup screen. On pre-Windows 8 computers, you will need to restart your computer and press the appropriate key during the boot process to bring up the BIOS setup screen. This key varies from computer to computer, but is often F2, Del , Esc , F1 or F10. If you need help, check your computer's documentation or Google your model number and "BIOS key" for more information. (If you built your own computer, find the BIOS key by your motherboard model.)

On the BIOS setup screen, locate the password option, set your password parameters to your liking, and enter a password. You may be able to set different passwords - for example, a password that allows the computer to boot and one that controls access to the BIOS settings.

You'll also want to visit the Boot Order section and ensure the boot order so that people can't boot your computer from removable media without your permission.

On current Windows 8 computers, you will need to get into the UEFI firmware setup screen through the Windows 8 boot options. The UEFI setup screen on your computer will provide you with a password option that works similar to a password. BIOS password.

On Mac computers, restart the Mac, press and hold Command + R to boot into recovery mode, and click Utilities > Firmware Password to set a password for UEFI firmware.

How to reset a password in BIOS or UEFI firmware.
In general, you can bypass the BIOS or UEFI password if you have physical access to the computer. This is easier on a desktop computer that is designed to be open. The password is stored in volatile memory, powered by a small battery. Change the BIOS settings and the password will be reset - you can do this by using a jumper or by removing and reinserting the battery. This process will obviously be more difficult if you have a laptop that cannot be opened to access its internal hardware. Some computer models may have "backdoor" passwords that allow you to access the BIOS if you forget the password, but don't count on it.

It may also be necessary to use the service of professionals to reset passwords that you may forget. For example, if you set a firmware password on a MacBook and forget it, you may need to visit an Apple Store so they can fix the problem for you.

BIOS and UEFI passwords are not something most people would ever use, but they are a useful security feature for many public and business computers. If you own some kind of Internet cafe, you probably want to set a BIOS or UEFI password to prevent people from booting into different operating systems on computers. Sure, all of this protection could be ruined by opening the computer's case, but that's more difficult than simply inserting a USB drive and rebooting.

Discussion (0)