Pros and Cons of EFI firmware password

Discussion in 'MacBook Pro' started by Eriksrocks, Jun 8, 2013.

  1. Eriksrocks macrumors member

    Joined:
    Jun 12, 2012
    #1
    Hi guys,

    In the wake of the recent NSA/PRISM news, I've been evaluating all my existing security measures (no, I'm not paranoid, it just reminded me that now would be a good time to take another look at security across the board).

    One thing I recently came across which I hadn't heard of before was the use of an EFI password.

    Obviously the benefit is that if my Macbook Pro gets stolen, the thief won't be able to wipe the hard drive and re-install OS X without getting the firmware password reset by Apple or an authorized reseller (who won't do it, because they won't have a proof of purchase for the machine).

    But are there any known downsides to adding an EFI firmware password (other than the small inconvenience of having to enter the password when needing to boot to a different drive, reinstall OS X, etc.)? I've seen vague warnings from some other people about things "simply not working" with an EFI password. Is there any impact on peripherals or functionality while I'm logged in?

    I'm not concerned about losing the password; it will be safely stored, encrypted, and backed up.

    Thanks! :)
     
  2. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #2
    The only downside at all is what you mentioned about it being inconvenient to boot from other devices. Other than that there is absolutely no downside to it. There no impact whatsoever on the use of any peripheral.

    If you really want to be secure though, you should turn on Lion or Mt. Lion's full disk encryption Filevault2. You can turn it on in the Security and Privacy pane in System Prefs. That way if someone steals your computer they will never get your data.
     
  3. dusk007 macrumors 68040

    dusk007

    Joined:
    Dec 5, 2009
    #3
    The biggest downside is losing it. An EFI password afaik can NOT be restored not even by Apple. A proof of purchase won't help. There used to be master passwords once 15 years ago but now you have to exchange a chip. That costs too much so effectively one has to exchange the logicboard which is expensive.

    If you ever forget the password, you cannot boot up again.

    In terms of security it really only helps against theft. A thief can not make use of it and not sell it to anybody who tests it first. He could in standby if he always keeps it charged.
    It does not protect against anything else other then illegitimate booting. If it is on standby either filevault 2 protects it or there is no protection. It doesn't protect any data or add privacy.

    It is just a "may I boot up" password.
     
  4. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #4
    You are mistaken about this. Apple can still reset an EFI PW.

    If you press Control-Option-Command-Shift-S at boot it will show a 33-digit hash string that the Apple tech sends to the mothership. Then Apple HQ sends the tech back a custom firmware for your machine that is loaded on a USB key. After a boot from this USB key the EFI PW is reset.
     
  5. Jaben3421 macrumors regular

    Joined:
    Sep 18, 2011
    Location:
    CA
    #5
    Not necessary. If my memory serves me right, I do believe there is a way around the EFI password if you have access to the inside of the macine. All you do is remove one stick of RAM, boot up holding Command+Option+P+R (Reset the PRAM), then once at the login screen release the keys and shut down. Replace the stick of RAM, boot up and now there should be no EFI password. I know because I did forget my EFI password once,found this, and it worked.
     
  6. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #6
    That won't work any longer. 2011+ machines use a new method that circumvents that.
     
  7. Jaben3421 macrumors regular

    Joined:
    Sep 18, 2011
    Location:
    CA
    #7
    Okay. It worked on my Late 2009 MacBook, but I didn't know about that. Good to know that it's been patched.
     

Share This Page