There is indeed a dazzling array of passwords, and it would be nice if there was some document that explained (with examples) how each one would be used.
If you define and enable it, you need this password to change BIOS settings. This password might be handy if you lend out your Thinkpad. Someone could boot and use it, but not go in and dork your BIOS settings.
You need this password to boot the machine at all. Without it, you can't access the BIOS, choose a boot device, or do anything useful. This is the one that makes the laptop useless to a thief.
The BIOS Supervisor Password can also be used in place of the boot password (?).
There are two passwords on the IBM hard disk drive itself.. the master and user password. These passwords lock the IDE drive so the entire drive can not be used without first sending them. It's important to note that this is a common IDE feature, not a BIOS feature. The BIOS just allows you to enter the password and passes it down to the drive to either unlock or ignore.
If you lock the hard drive, and forget the password, the drive would have to be replaced -- its contents lost.
Moving the drive to another ThinkPad simply moves the password with it.
The actual contents on the hard drive are not encryped or hidden. It's just the IDE firmware refusing access to the drive. There are secret methods to defeat this password, and companies that provide that service regularly to law enforcement or companies, so it should not be considered high security. Typically the IT department would set the Master Password and allow the owner to set the User Password, so they always have some way to recover the drive after it is returned. Smart IT departments would never send the drive out with the Master Password unset, since it might come back to them with a password they don't know.
This password would be used as a speed-bump for a laptop thief or someone trying to access your confidential files.
Hopefully you know what this is. You picked this password when you created the initial user account during installation.
Although it doesn't show in the Login list, or under the User Manager, there is also a login named "Administrator" that was defined during Windows installation.
I need some help with this one, being new to it myself.. it seems the fingerprint scanner (a USB device) holds inside it a number of fingerprint templates. It also holds the cleartext passwords for enrolled users. So, without any Windows software, it can scan your fingerprint at power-up and supply the Boot Password
and Windows password for your login. What else can it be used for? Hard Disk password as well?
- Rescue / Recovery password (for each user?)
Every time I change or modify my Windows login password, I am prompted to set the R&R password as well. It appears IBM has hooked into the Windows password-change operation so that it can get your cleartext password right after you have set it, and use that same password for its own security features. I haven't used R&R, so I keep chosing "Later" with no password.
- IBM Embedded Security Subsystem 2.0
This TCG-compliant NS PC8394T chip is a whole cryptographic processor with secure (tamper-proof) key storage. I haven't used it yet, but I believe this lets you store private keys inside the module, and do things like encrypt files by passing the file data through the Security processor. This would be used to lock down files or directories on your hard drive so that someone stealing or spying on your laptop would have a more difficult time accessing your confidential files. It doesn't appear to be theft protection, because anyone can erase the whole processor at any time, restoring it to factory defaults. Without a backup of the keys, though, all the files would then be unreadable to anyone.