Should I turn on Firmware Password the moment I receive my 2018 MBP?

[M.Rizk]

I’ve seen a few posts here in the past 2 months complaining about wiping and re-installing macOS on the new 2018 MBPs as the T2 chip asks them for the password for the admin user which is no longer there once the hard drive is wiped.

I read a few replies on previous topics that if a Firmware Password is set, the T2 will never ask for the admin user password and will always ask for the firmware password regardless of the current Mac status.

As a user who does a lot of advanced stuff and could brick the macOS, should I set a firmware password before I even start the initial setup on my MBP?

What happens if I forgot it? (won’t happen, but just in case it does)

 

[maflynn]

What happens if I forgot it? (won’t happen, but just in case it does)

Many people have set the firmware password in the past and basically a door stop after that since they could use the laptop. I believe if you have proof of ownership, Apple has tools to unlock it, otherwise there's no way into the laptop.

 

[unobtainium]

Many people have set the firmware password in the past and basically a door stop after that since they could use the laptop. I believe if you have proof of ownership, Apple has tools to unlock it, otherwise there's no way into the laptop.

I don’t understand this sentence. Are you saying the laptop becomes a doorstop after you set a firmware password if you forget the password?

 

[M.Rizk]

I don’t understand this sentence. Are you saying the laptop becomes a doorstop after you set a firmware password if you forget the password?

I’ve spoken with Apple Support about this. You will still be able to boot into your macOS and update it but if something wrong ever happens, forget being able to re-install macOS or wiping your HDD or booting from another volume/partition.

Sounds really dumb as they could have made it like activation lock with iCloud being able to unlock it but it seems like they stopped innovating there.

 

[maflynn]

I don’t understand this sentence. Are you saying the laptop becomes a doorstop after you set a firmware password if you forget the password?

You forget your password, then the only use for it is a door stop, because you'll not able to use it

 

[unobtainium]

So it sounds like if you ever want to do a clean reinstall, the best bet is to disable absolutely all security options first.

 

[M.Rizk]

So it sounds like if you ever want to do a clean reinstall, the best bet is to disable absolutely all security options first.

Or enable Firmware Password and never forget it if you don’t want to lose the security features.

 

[c0LdFire]

A password used very infrequently like this is just one of many good examples for using a password manager. Forgetting it shouldn’t even be a consideration.

People should absolutely turn on the firmware password.

 

[Weaselboy]

What happens if I forgot it? (won’t happen, but just in case it does)

You would still be able to continue using the Mac, but it would not let you boot from anything other than the current internal drive that is set as the startup disk. If you take it to Apple with proof of ownership they can reset it for you.

I always set a firmware password and turn on FileVault right out of the box. Other than the mentioned risk of losing the password and locking yourself out, there is no reason not to turn it on.

 

[Sackofnickels]

Pardon my ignorance, but what is the benefit of a firmware password?

 

[abcdefg12345]

Always set a firmware password, otherwise any idiot can reset your admin password with recovery terminal. plus if your laptop ever gets stolen firmware password makes it useless to the thief.

 

[Weaselboy]

Pardon my ignorance, but what is the benefit of a firmware password?

It stops someone from booting your Mac to any drive other than the current drive set in the Startup Disk panel. So if someone steals your Mac and tries to boot to recovery or another drive to hack or reset your Mac, they will be unable to do so.

If you have the firmware password and FileVault both turned on, the thief has essentially stolen a MacBook that is worthless to them.

 

[adrianlondon]

Always set a firmware password, otherwise any idiot can reset your admin password with recovery terminal.

Don't they need to unlock the drive with a Filevault password first?

 

[chrfr]

Don't they need to unlock the drive with a Filevault password first?

If Filevault is enabled, then yes, you'd need to enter the Filevault password.

 

[adrianlondon]

Thought so. I value my data privacy, so have Filevault enabled (late 2013 Macbook Retina), but don't want the hassle of a Firmware password (things like resetting PRAM are irritating with this enabled) so don't have that enabled.

If someone steals my laptop and the firmware password is enabled, they'll end up binning it and stealing another one. So, in fact, I'm taking one for the team and doing you all a favour by making mine usable once stolen

 

[M.Rizk]

Thought so. I value my data privacy, so have Filevault enabled (late 2013 Macbook Retina), but don't want the hassle of a Firmware password (things like resetting PRAM are irritating with this enabled) so don't have that enabled.

If someone steals my laptop and the firmware password is enabled, they'll end up binning it and stealing another one. So, in fact, I'm taking one for the team and doing you all a favour by making mine usable once stolen

Having a firmware password on won't stop him from using it. He can still sell it because no one will check if a firmware password is there

 

[Big Ron]

It stops someone from booting your Mac to any drive other than the current drive set in the Startup Disk panel. So if someone steals your Mac and tries to boot to recovery or another drive to hack or reset your Mac, they will be unable to do so.

If you have the firmware password and FileVault both turned on, the thief has essentially stolen a MacBook that is worthless to them.

But a thief won’t know that and you still won’t have your laptop. I doubt you’d get it back. Your still minus your laptop.

 

[Weaselboy]

But a thief won’t know that and you still won’t have your laptop. I doubt you’d get it back. Your still minus your laptop.

I agree it won't help get my laptop back, but I get some small satisfaction knowing the thief will get zero use out of it.

Once enabled, the FW password is transparent as far as day to day computer usage, so I see no reason not to use it.

 

[Lennyvalentin]

Question: how does one enable firmware password, or tell whether it is on or off?

Thanks!

 

[Weaselboy]

Question: how does one enable firmware password, or tell whether it is on or off?

Thanks!

https://support.apple.com/en-us/HT204455

This link will walk you through it.

A quick way to tell though is to hold down the option key at boot. If there is no FW password set, the boot selector screen will come up. If there is one set, you will get a grey box asking for the FW password.

 

[Fishrrman]

Weaselboy, some of what you posted above seems contradictory. Please clarify.

IF one sets a firmware password, the Mac becomes "unbootable" until the password is entered.
Is that a correct assumption?

If that's the case, if one forgets one's own firmware password, can you still "boot and run" from the internal drive? Or... no?

Why I asked:
Someone posed the question, to wit, if one forgets the firmware password, does the Mac end up the equivalent of a doorstop?
Without the password, would not the answer be... "yes"?

 

[Weaselboy]

IF one sets a firmware password, the Mac becomes "unbootable" until the password is entered.
Is that a correct assumption?

No.... that is not correct. All the FW password does is prevent the Mac from booting from anything other than the drive selected in the System Prefs Startup Disk pane. Normally, that would be set to the internal drive. So even with a FW password set, the system will boot right up to the internal drive and ask you for a login password.

 

[Fishrrman]

"All the FW password does is prevent the Mac from booting from anything other than the drive selected in the System Prefs Startup Disk pane."

OK, thanks for the clarification.

I've never used the firmware password option -- and never will.

I WANT my Macs to be "easy to get to".
But... that's just me.

 

[M.Rizk]

"All the FW password does is prevent the Mac from booting from anything other than the drive selected in the System Prefs Startup Disk pane."

OK, thanks for the clarification.

I've never used the firmware password option -- and never will.

I WANT my Macs to be "easy to get to".
But... that's just me.

Firmware Password seems to be a recommended step in T2 machines because T2 sometimes asks for the password of the macOS admin user to let you install another OS (or replace the current).

If your current macOS is corrupted you might get stuck and never be able to boot again till you send it to Apple.

I really recommend enabling it, or else disable all the T2 security features to not regret it later.

 

[Samfrancisco]

It is a very good and wonderful thing the firmware password on paper..and in securing us all from those nasty thieves HOWEVER it is also the bringer of nightmares if you EVER find yourself locked out of your computer AND need urgently to use a keypad combination to access any of the safety nets Apple have put in place to help your computer.
Things like Recovery Mode , Single user Mode ,Verbose Mode , Network mode etc etc these are vital hidden tools that you WILL need one day , trust me ! And if your Mac is firmware locked you can say goodbye to the instant quick fixes these combinations can achieve for you ! My advice is let Apple take care of the top security stuff and leave the firmware password well alone ! It’s the sole reason for one of the most frustrating weekends I have ever had in my life .