Set up for fingerprint swipe at BIOS and again at XP logon?

[proFeign]

I have an x60s with a fingerprint reader and I'd like it to prompt me for a BIOS password that will be redirected to a fingerprint swipe, and then upon Windows boot I want to get that prompt again. I do not want to get prompted for a typed password at all if possible...

I have been able to either use a fingerprint as a BIOS password and then I get automatically logged into Windows with no further action, or I disable the BIOS pw and Windows will ask me for a fingerprint. But not both. I want to get fingerprint requests (they can all be overridden with passwords) but the FP reader is too "user friendly" and logs onto windows after only the BIOS swipe. I haven't been able to get any of the BIOS HDD/BIOS/Logon/Supervisor pw's enabled and have both a BIOS prompt and Windows prompt for fingerprints. The closest I have come is a BIOS pw and a Windows fingerprint swipe.

Any advice? There are so many options that seem to be setting the same thing but there's no way to know without lots of rebooting, and twenty or so reboots later I'm here with either pw/swipe or swipe but never swipe/swipe.

Any way to do this? Seems like there really should be.

[lev]

Untested by me, but should work:
Start->ThinkVantage->ThinkVantage Fingerprint Software->Control Center->Settings->System Settings->Logon [tab]->Enable power-on security single sign-on[uncheck]

[proFeign]

I'll try that as soon as I get home... With it checked the BIOS would still accept a password before I implemented the fingerprint thing. I thought that meant "use fingerprint to logon to windows" instead of fingerprint+windows pw.

Thanks! I'll keep you posted.

[proFeign]

Thanks! I actually don't even want to do it after all, but I'm glad I know what the problem was.

My issue is that you can only use so secure a BIOS password and those can be pretty easy to get around, and if by cancelling out of the finger swipe you could get into windows with my BIOS password that would be pretty stupid.

But the way it works after trying it all out is: if you have power on single sign on enabled and you don't swipe your finger but hit escape and enter a password it will then prompt you for the fingerprint again at windows but if you can't provide it there either you have to enter the windows password. So single swipe is secure enough.

I thought since it's easy I might as well enable the BIOS, HDD, and Windows passwords since I shouldn't ever have to type them all in just to put as many passwords as possible in front of somebody that's trying to get into my computer.

[lev]

My issue is that you can only use so secure a BIOS password and those can be pretty easy to get around, and if by cancelling out of the finger swipe you could get into windows with my BIOS password that would be pretty stupid.

Well, if they've bypassed the bios password, then they can boot the machine from a CD/floppy/USB and thereby bypass the windows password without additional effort. So even if it did behave as you stated, I'm not sure what your concern is.

I thought since it's easy I might as well enable the BIOS, HDD, and Windows passwords since I shouldn't ever have to type them all in just to put as many passwords as possible in front of somebody that's trying to get into my computer.

Sure, but make sure you write down the passwords and keep them somewhere very safe (or in more than one place). You're going to forget them since you never have to type them, but one day you'll need to know them.

[proFeign]

Well, if they've bypassed the bios password, then they can boot the machine from a CD/floppy/USB and thereby bypass the windows password without additional effort. So even if it did behave as you stated, I'm not sure what your concern is.

I'm not so worried about someone bypassing BIOS because they only have three tries before the computer shuts down. The easy way to do that is to take out the BIOS battery and let the password reset, but that's not easy on a laptop, and additionally you can't get around the HDD password at all unless you replace the logic board on the actual drive, which I believe is the only way, and that's definitely not easy, or cheap.

Sure, but make sure you write down the passwords and keep them somewhere very safe (or in more than one place). You're going to forget them since you never have to type them, but one day you'll need to know them.

I never, ever, write down passwords. I have five or so passwords that I've used on stuff like this in various forms for the past twelve years. I'm not worried about forgetting them. And if I use permutations of them I'm only ever about ten tries from getting into any password I've ever set, even if I actually have about 80 total different in-use permutations of my passwords. And my windows password could be bypassed by the Linux boot disk admin password reset thing, but that requires a floppy drive, and again they'd have to bypass both the BIOS and Hard drive passwords to even get to that point.

And if they get past the BIOS and HDD passwords which are both strong and not guessable by logic and get to Windows that password is over thirteen characters long with a number of symbols and uppercase letters and no actual words. And none of the numbers or letters have any real pattern to anyone but me, anyway.

[proFeign]

This is kinda cool: there is a way to dump and NT hash if you have admin privileges and use a brute-force password cracking software directly on the NT hash of your password.

If you want to try it there are tools out there and it'll give you an idea of what someone with a lot of time and computer skill could do to find out what your actual password is, if they cared. But it's far easier to bypass a password than to hack it.

It took two weeks on a pentium three 700 to try to crack the oldest, simplest version of my current windows password and it still didn't get it, even though it dumped out the rest of the people I was in charge of on the server in less than a day. Thirty passwords in a day, two and a half weeks later it still didn't get mine. And that one was only nine digits or so.

Anyway, use strong passwords for everything that matters, and never enter them on public computers or use the same ones for online memberships. Anything I ever put online I consider compromised if I do it from a public computer.

[lev]

Well, if they've bypassed the bios password, then they can boot the machine from a CD/floppy/USB and thereby bypass the windows password without additional effort. So even if it did behave as you stated, I'm not sure what your concern is.

I'm not so worried about someone bypassing BIOS because they only have three tries before the computer shuts down. The easy way to do that is to take out the BIOS battery and let the password reset, but that's not easy on a laptop,

On a X60s it takes 4 screws and less than a minute if you know what you're doing. It's actually easier than on my tower case (which at least needs a key in order to open it). Here's the instructional video:
http://www-307.ibm.com/pc/support/site. ... MIGR-64330
Of course this only removes the Power On Password, the supervisor password is much harder to bypass, though there are shady people on the web who claim to be able to do it for a about $100 (at least for older thinkpad models, I don't know about X60s).

and additionally you can't get around the HDD password at all unless you replace the logic board on the actual drive, which I believe is the only way, and that's definitely not easy, or cheap.

Of course it depends on the specific drive model, but the going rate seems to be under $100 per drive (again for some drives, I don't know about the specific one in your laptop). With the right hardware it allegedly takes about 7 minutes
http://www.vogon-international.com/prod ... er-pod.htm

Anyway, my point was that if an attacker is determined enough to bypass the bios passwords, then surely they're determined enough to use a boot disk and bypass the windows password as well.