Thinkpads Forum

732 wrote:How come the power-on password is weak? Can you please explain.

Marin85 wrote:I can confirm this. It´s also not so big problem to crack the BIOS password as well. So, as the others stated above, the most secure one remains the HD password.

hart22 wrote:And for hard disk data privacy concerns it's hard to beat disks with Full Disk Encryption coupled with the advice given by previous members.

And for the most paranoid you can try a cable lock between your laptop and your leg.

Post subject: "Power on, Supervisor, Master and User HDD Passwords", 1/3/09:
Howdy,

i have a small collection of T6x and X61s thinkpads. i am posting this in the T6x forum because i want T6x specific replies (there appear to be subtle differences in password behavior on some of the older machines).

what i want: (1) prevent honest people from booting up my computer and (2) to prevent dishonest people from accessing the data on my hard drive (if my machines are lost/stolen).

as far as protecting my data, i am not willing to pay the performance hit associated with whole disk encryption software, so that's not an option. i am considering activating the hard disk password on some of these machines and want to make sure that i fully understand the consequences before doing so. this is where i encourage you to share your experience and help me do the right thing.

as best as i can gather from this forum, the password choices are as follows:

[1] power on password (POP) - prevents booting machine without password. password is easily removed through published methods.

[2] supervisor password (SP) - protects BIOS settings, may be recoverable but we won't go there. since it may be recoverable, one obviously should not set a hard drive password to the same value as a supervisor password.

[3] master+user HDD password - i think this option is for machines with multiple users and an IT guru. the user password would be set by/provided to the user(s) for normal use. if the user forgets it, the master password can still be used (by the IT guru ) to unlock the drive and remove the forgotten user password. for obvious reasons, one would not want to (knowingly) set the user and master passwords to the same value.

[4] user hdd password only - this option is most appropriate for single user machines where there is no need for a master password to override the user password (if you can't remember one, how are you gonna remember two?).


my plan is as follows: set POP (keeps the honest people out) and user HDD password (keep majority of thieves out). i will set these to two different values (in case POP is recoverable). i will not set supervisor password (i'm not worried about protecting BIOS settings) or use the master+user HDD password option (i am the only user).

did i get this right?

if i set the user HDD password, will i be able to remove it in the future?

if i put a second hard drive with user password set into the ultrabay, will the machine unlock it too?

is there any other purpose to setting a master password (other than listed in #3 above)?

is there any consequence of turning on the BIOS "use passphrase" option (other than enabling longer / case sensitive passwords)?

what about the TPM? i am afraid of long boot times, what is the down side of keeping it turned off?


thanks very much for taking the time to read this, i will definitely appreciate hearing any of your comments.

phil

PhilD wrote:Below is a copy of a post i made in early january which was unfortunately lost (along with a lot of great replies) when the board switched to the new software.

Crunch wrote:Just FYI...yes, you can remove the password(s) in the BIOS by selecting change pw, then type in the current password, and then just hit Enter twice, leaving the new password fields empty. Your password is then removed.