BIOS Password: Don’t Set it and Forget it

02Mar, 2010

We recently had a computer in the shop that had a Hard Disk password and a BIOS password set on it.

The Hard Disk password is stored not only on the logic controller, but also on the disk itself, and make the drive unusable without entering the password.

Under normal circumstances, people will password protect their windows logon, but their data is easily obtainable just by removing the hard drive and accessing it from another computer.  If you set the Hard Disk Password, this is not the case.

This customer happened to know their Hard Disk password, though they had inadvertently set it while going through tech support with someone else (I don’t know how it came to this, but we don’t ask questions, we just fix what people want us to fix.

The hard disk password was just an extra step to go through at startup… it wasn’t really a problem, just a nuisance.  She asked if we could remove it, which is usually an easy process by entering the BIOS.  To our delight, when we attempted to enter the BIOS, there was a password on that as well.

Again, the system started up just fine, so being locked out of the bios only becomes a problem when you need to get into the BIOS.  Most people never do, but it’s a fairly common thing around a computer shop.  The customer didn’t know her BIOS password, or that it had even been set.

If you start your googlehunt for BIOS password recovery, you will find everything from default backdoor passwords for various BIOS vendors, methods for resetting EEPROM memory by shorting out pins, removing the CMOS battery, and a hundred other “proven methods”, but not one thread that ends with “thanks, that worked!”

The bottom line is that the BIOS password is a security measure that is meant to protect your computer in the event that it is stolen.  Most never enable theirs at all, but if you do, make sure you put it somewhere secure and remember it.

In the case of our customer, after a few hundred tries we were able to guess the password, which was derived from the other passwords of hers that we already knew.  (That’s lesson number 2, don’t make your passwords to similar or people like us can guess them!)

-Chris

Leave a Reply

Your email address will not be published. Required fields are marked *