Pros and Cons of EFI firmware password

Eriksrocks

macrumors member
Original poster
Jun 12, 2012
76
0
Hi guys,

In the wake of the recent NSA/PRISM news, I've been evaluating all my existing security measures (no, I'm not paranoid, it just reminded me that now would be a good time to take another look at security across the board).

One thing I recently came across which I hadn't heard of before was the use of an EFI password.

Obviously the benefit is that if my Macbook Pro gets stolen, the thief won't be able to wipe the hard drive and re-install OS X without getting the firmware password reset by Apple or an authorized reseller (who won't do it, because they won't have a proof of purchase for the machine).

But are there any known downsides to adding an EFI firmware password (other than the small inconvenience of having to enter the password when needing to boot to a different drive, reinstall OS X, etc.)? I've seen vague warnings from some other people about things "simply not working" with an EFI password. Is there any impact on peripherals or functionality while I'm logged in?

I'm not concerned about losing the password; it will be safely stored, encrypted, and backed up.

Thanks! :)
 

Weaselboy

Moderator
Staff member
Jan 23, 2005
29,451
9,065
California
The only downside at all is what you mentioned about it being inconvenient to boot from other devices. Other than that there is absolutely no downside to it. There no impact whatsoever on the use of any peripheral.

If you really want to be secure though, you should turn on Lion or Mt. Lion's full disk encryption Filevault2. You can turn it on in the Security and Privacy pane in System Prefs. That way if someone steals your computer they will never get your data.
 

dusk007

macrumors 68040
Dec 5, 2009
3,386
61
The biggest downside is losing it. An EFI password afaik can NOT be restored not even by Apple. A proof of purchase won't help. There used to be master passwords once 15 years ago but now you have to exchange a chip. That costs too much so effectively one has to exchange the logicboard which is expensive.

If you ever forget the password, you cannot boot up again.

In terms of security it really only helps against theft. A thief can not make use of it and not sell it to anybody who tests it first. He could in standby if he always keeps it charged.
It does not protect against anything else other then illegitimate booting. If it is on standby either filevault 2 protects it or there is no protection. It doesn't protect any data or add privacy.

It is just a "may I boot up" password.
 

Weaselboy

Moderator
Staff member
Jan 23, 2005
29,451
9,065
California
The biggest downside is losing it. An EFI password afaik can NOT be restored not even by Apple. A proof of purchase won't help. There used to be master passwords once 15 years ago but now you have to exchange a chip. That costs too much so effectively one has to exchange the logicboard which is expensive.
You are mistaken about this. Apple can still reset an EFI PW.

If you press Control-Option-Command-Shift-S at boot it will show a 33-digit hash string that the Apple tech sends to the mothership. Then Apple HQ sends the tech back a custom firmware for your machine that is loaded on a USB key. After a boot from this USB key the EFI PW is reset.
 

Jaben3421

macrumors regular
Sep 18, 2011
148
0
CA
If you ever forget the password, you cannot boot up again.
Not necessary. If my memory serves me right, I do believe there is a way around the EFI password if you have access to the inside of the macine. All you do is remove one stick of RAM, boot up holding Command+Option+P+R (Reset the PRAM), then once at the login screen release the keys and shut down. Replace the stick of RAM, boot up and now there should be no EFI password. I know because I did forget my EFI password once,found this, and it worked.
 

Weaselboy

Moderator
Staff member
Jan 23, 2005
29,451
9,065
California
Not necessary. If my memory serves me right, I do believe there is a way around the EFI password if you have access to the inside of the macine. All you do is remove one stick of RAM, boot up holding Command+Option+P+R (Reset the PRAM), then once at the login screen release the keys and shut down. Replace the stick of RAM, boot up and now there should be no EFI password. I know because I did forget my EFI password once,found this, and it worked.
That won't work any longer. 2011+ machines use a new method that circumvents that.