Enabling Firmware Password Protection on Your Mac
Matt Cone January 16, 2013 Tutorials Mac Security
Firmware password protection can help safeguard your Mac and the data stored on it. With this feature enabled, users are prevented from booting from another startup disk or entering single-user mode — a command-line interface that can be accessed at startup. Firmware password protection is especially effective in enterprise or educational environments where administrators can secure the physical hardware but cannot be present to prevent tampering by employees or students. For example, unauthorized users can’t start the computer from a USB emergency drive when firmware password protection is enabled.
This feature isn’t a substitute for encryption or physical controls. If your Mac is stolen, a criminal could replace the RAM to reset the firmware password or remove the hard drive to extract your data. But when firmware password protection is used in conjunction with physical controls and account passwords, it can be an effective deterrent to would-be criminals.
Understanding Firmware Password Protection
To understand how firmware password protection works, you need to know a little about your Mac’s hardware. Older Apple computers with PowerPC processors used Open Firmware as an interface between the operating system and the firmware; newer Macs with Intel processors use an Extensible Firmware Interface (EFI), as shown below. Setting a password in Open Firmware or EFI provides low-level protection at the hardware level.
The firmware password is disabled by default. When you enable it, your Mac’s firmware is protected from unauthorized changes. Your Mac will continue to function as before, with no need to enter the firmware password during normal operation. Users are only prompted for a password when they try to change the firmware’s state by entering single-user mode or booting from a different startup disk.
If you forget your firmware password, you’ll need to remove the RAM modules to reset it. (Some MacBook owners will need to schedule an appointment at their local Apple Store.) You should use the same precaution with the firmware password as you would with any password—commit it to memory.
Enabling the Firmware Password
To enable the firmware password, you’ll need to boot from a different startup disk. Users running Mac OS 10.7 or later can boot from the Recovery HD partition. Users with Mac OS 10.6 or 10.5 will need to boot from the Mac OS X Install DVD.
Here’s how to enable the firmware password:
If your Mac is running OS 10.7 or later, restart your computer, hold down the Option key, and then select the Recovery HD, as shown below. If your Mac is running OS 10.5 or 10.6, insert your Install DVD, hold down the Option key, and then select the Install DVD.
Wait for the operating system to load and then select Utilities, and Firmware Password Utility. The window shown in Figure 30-3 appears.
Enter a password and then verify it. This is the firmware password for your Mac. Click Set Password.
Restart your computer and hold down the OPTION key. The password prompt shown below appears.
Enter the firmware password and then click the right arrow button. You can now select a startup disk.
To disable your Mac’s firmware password, follow these instructions and deselect the Require password to start this computer from another source checkbox in the Firmware Password Utility.
Additional Ideas for Protecting Your Mac at the Hardware Level
For greater protection, use physical controls in conjunction with firmware password protection and encryption. Mobile users can invest in cable locks to secure their portable computers to immovable surfaces while working in public. Enterprise administrators should invest in case locks to prevent users from gaining access to internal computer components, like the hard drive and RAM. Ultra paranoid? You could even go all out and bolt your Mac Pro to the floor!
- How to Password Protect Your Mac
- How to Disable Automatic Login
- How to Create User Accounts in Mac OS X
Subscribe to our email newsletter
Sign up and get Macinstruct's tutorials delivered to your inbox. No spam, promise!