Basically, my BIOS is password protected and my local account is also password protected, but I can’t help but wonder how effective this is as an additional layer of security. I’ve seen videos online that showcase the systematic bypassing of a ‘startup password’, and (after a quick search) come across this article posted by @Henry himself.
Is it worth it to password protect the BIOS if those who know what they’re doing—those who know more than I do—can easily access my data one way or the other, should they get their hands on my hardware?
This is a purely hypothetical scenario and I am just curious about what others think about this.
This really depends on the manufacturer of your device. It may be a useful additional layer of security in some cases (certainly can’t hurt), but it should never be used instead of security measures like full-disk encryption.
Authored by Henry? I don’t think so lol
Definitely not: ‘Author: Dajne Win – Principal Security Consultant’ at the end of the article.
Perhaps I could have worded that a little differently, but I simply meant that he linked to the aforementioned article in a post of his own.
Well, if you change ur CMOS battery it resets all bios settings and so removes the password you set. Really depends on your threat model and if you think your adversary knows tricks to bypass the password or not. I personally do have a bios password because I wouldn’t like my non tech savy friends to do something stupid as “Secure Erase” of drives.
TL:DR i don’t think this is useful for an average person owning the machine, only for highly targeted individuals or corporate environments.
I am not versed in this topic, but i think that a dedicated person that knows what a BIOS (or UEFI) is and that is determined enough to get access to it won’t likely be stopped with a password. It’s more like a fool-proofing feature. Be free to disagree.
The main use i see for it is in corporate or public environments where unknown and not very tech savvy people are gonna be using the machines. The main thing that it might stop them from is changing the boot priority and booting from USBs. And also disabling Secure Boot which would allow them to boot a third party OS.
This way the establishment that owns these machines hopes to prevent “malicious” unauthorized use, which is of course not always malicious. Though it’s easy to understand that a password will definitely help against anyone except the most determined and very skilled individuals that won’t be satisfied with just a factory reset of BIOS.
To be fair, i don’t really understand what information in BIOS can be so valuable to protect it with a password. Fan settings? RAM overclocking parameters? Actual boot priority? Who cares about that?
The only thing that i can think of that a BIOS password can be useful against is malicious BIOS image flashing. A bad actor won’t be able to apply the same password as you’d expect if they flash another image, so you’d be able to tell that something is wrong if you can’t access the BIOS with your expected password.
AFAIK, there’s no way to find out the actual password, there are only ways to bypass it.
My biggest, and only, reason to mess around with the BIOS was to change boot priority and run DBAN from a bootable drive when I was switching devices.
It wasn’t until I’d come across a notable privacy advocate online that I even considered setting up a password.