Anybody use Bios Security options?

[makai]

Hello all,

In light of my stolen T41, I was wondering if I should have locked the system up using the bios security features. I didn't. The Windows log on, both Admin and User, were protected, but nothing else. I'm sure that whoever stole the laptop will just reformat the disc and reload it... well, perhaps they'll just reload it with the HPA... how convenient! I'm still p******!!!

I've never felt I ever had to worry about using all the security features in the bios, and in fact, I thought it might even be more dangerous to do so. I would hate for something to get corrupted and lock me out! I've heard too many horror stories and although I do have lab capabilities to reprogram eeproms and such, I still don't like having to go that route.

Do many of you use the bios security options... or do you just not worry about it?

Thanks,
makai

[Superego]

I consider the bios security options pretty important...Windows password are just too easy to crack. Not to promote nefarious acts, but drop in an Ophcrack LiveCD and see how long it takes to retrieve your password....you'll use bios passwords.

I agree that there can be some issues with setting them, but I think most of the problems arise when people set a supervisor password and then forget it. I wouldn't consider them the ultimate security measure, but they will probably deter the majority of people who try to break into a stolen laptop.

I'd like to think that the bios passwords, in addition to being decent security measures, would provide me a little satisfaction when the thief realizes he's not getting anywhere near my files.

[andyP]

My sympathies regarding your loss
I have always set BIOS supervisor, power on, hard drive master and user passwords.
Here's hoping I never suffer from amnesia

[egibbs]

The #1 reason to set the passwords is... so someone else can't. Every so often some poor [censored] will come on the board with a machine that "grew" a password while they were away from it. Funny joke to play on a co-worker, especially if it is set to a long random string of characters that the person doesn't bother to write down.

Always set the Supervisor Password at a minimum. Just make sure it is something you will never ever forget, then write it down and keep it someplace safe.

Ed Gibbs

[RealBlackStuff]

And it would take someone in the know less than 30 minutes (3 minutes in some cases) to reveal your 'secret' password.
The only password I have not (yet) been able to solve, is the Hard Disk password.

[virge]

I don't have any passwords set on machines that I use at home, but for my work Thinkpad I have both the Supervisor and HDD passwords set because the information on there is sensitive. Not "Treadstone" sensitive, but sensitive enough that I am worried about it.

I know that both the Supervisor and HDD passwords can be broken. I have the security chip enabled (not quite sure what that does, but it can't be bad, right?) and am using a passphrase with numbers and letters.

The Supervisor password seems to be breakable with a little bit of time and money. The HDD password seems difficult and/or expensive to break-- I take some comfort in knowing that it would be a lot cheaper for someone to buy another drive rather than hack mine.

A new concern for me is that there have been reports that TSA officials at airports are requiring some passengers to turn on their laptops to inspect the data and in some instances, copying that data off the laptop. My client data is confidential and although there is no way I would surrender it, I would also rather not miss my flight (or be subjected to the rubber glove). The next time I fly with data, I will probably take a personal machine and put the data on an USB drive then use Truecrypt or something similar to store it in a hidden partition.

[makai]

I'd like to think that the bios passwords, in addition to being decent security measures, would provide me a little satisfaction when the thief realizes he's not getting anywhere near my files.

This was my exact sentiment after I realized it might be stolen. Unfortunately, I goofed!

My sympathies regarding your loss

Yah, it's sad, but I'll get over it. I already purchased a replacement from one of the members here. This time I'm locking it up before I send it to Vegas... and doubling the insurance! It'll cost more, but then if it get's stolen again, two things will happen... 1) the thief isn't going to have a fun time getting into the laptop, and 2) I'll be able to buy a newer type laptop and fly there to deliver it... after I collect the insurance!

Always set the Supervisor Password at a minimum. Just make sure it is something you will never ever forget, then write it down and keep it someplace safe.

This, I will do!

And it would take someone in the know less than 30 minutes (3 minutes in some cases) to reveal your 'secret' password.

Hopefully, the thief isn't such a person.

A new concern for me is that there have been reports that TSA officials at airports are requiring some passengers to turn on their laptops to inspect the data and in some instances, copying that data off the laptop.

I heard about this, and I thought you could refuse without repercussions. I hadn't paid much attention to the news, but I never knew they would copy data! Sheesh, what's this world coming to?

From now on, I'm locking everything up, just in case! Thanks guys for the responses!

makai

[ajkula66]

None of my computers contains any sensitive data.

None of my Windows-running machines have passwords.

Sensitive data is saved on paper in language that not too many people understand, and in my (aging) little gray cells...

Good luck.

[gator]

Wish I could say that too George, but sadly in a world and age where most of our work (mostly irrespective of field) is done on/with computers it is hard for most people not to (even accidentally) have sensitive data on their computers. It is all in the game ...

[makai]

Yah... I would consider something as simple as a phone list to be confidential. Or even something like an autobiography or letters to family, photos of family, and even passwords to programs I own. They are all sensitive information to me. These things are on all my computers. Every computer is User password protected, but none were bios protected... not yet, but soon!

[egibbs]

A new concern for me is that there have been reports that TSA officials at airports are requiring some passengers to turn on their laptops to inspect the data and in some instances, copying that data off the laptop. My client data is confidential and although there is no way I would surrender it, I would also rather not miss my flight (or be subjected to the rubber glove). The next time I fly with data, I will probably take a personal machine and put the data on an USB drive then use Truecrypt or something similar to store it in a hidden partition.

So far this has been limited to Customs official, not the regular TSA screeners. Though that is no doubt coming eventually. Customs has (on occasion) either imaged drives or taken laptops and made people fight to get them back - in one case a businesswoman had been trying for over a year to get back a machine that Customs had impounded.

Before you go out and TrueCrypt everything, consider that will just make them more curious. They can't make you give up your passphrase, but they can explain that if you don't they will need to hold the machine and give you a phone number to call to try to get it back.

The scariest thing is that the Government makes no representations about what they will do with the data they suck off machines. We know that they will check it for kiddy porn because they have already busted a few people that way. But that is not by any means the ony thing they can and will do.

They could, for instance load it into a searchable database, the successor to the Total Information Awareness program. Then they could map linkages between people based on who has who in their contacts or who has emails from who.

Suppose you work for a company that has Government contracts, and are involved in putting together proposals and negotiations. How would you like it if the Government had all of your internal emails and rough drafts of the proposal because they found them in the database?

Or how about attorney/client communications relating to a suit against the Government - should the Government have those? They will.

Companies are just beginning to figure out how to deal with border searches of laptops. My company requires that any traveler going overseas must check out a clean machine from Computer Services and bring no files or data without specific approval. While overseas they must use Remote Desktop so that no data is actually brought to their machine, only images of their desktop in the US.

Ed Gibbs

[brainpicker]

I now use all available passwords and security so that my "sensitive data" is somewhat protected. Wow, what a great day & age to be a teenager this 21st century is. Heck (...oops, I almost used that word again! ) in the 70's I could only hope Mom wouldn't find that, uh, "sensitive data" hidden under the bed or in a drawer!

I don't mean any disrespect to the OP for his loss. I've been there. It hurts and makes you feel kinda vulnerable.

- Yak

[makai]

I now use all available passwords and security so that my "sensitive data" is somewhat protected. Wow, what a great day & age to be a teenager this 21st century is. Heck (...oops, I almost used that word again! ) in the 70's I could only hope Mom wouldn't find that, uh, "sensitive data" hidden under the bed or in a drawer!

I don't mean any disrespect to the OP for his loss. I've been there. It hurts and makes you feel kinda vulnerable.

- Yak

Yah, I remember the 70's! I was in the Army serving in Germany at the time. Back then, the only computer we had was actually an IBM sitting in a trailer. It used magnetic media... cardboard cards about 3' x 2', with about 1" magnetic strip across the top. I was a keypuncher back then and submitted anywhere from 1500 to 2000 cards every Thursday to Battalion. Sounds a bit boring, but it was a fun time back then! By the way, no disrespect taken... don't even know why you'd even worry about it!

[t20user]

I assume your machine was stolen in public?

I think from now on I will activate the passwords on machines I take on trips. But the one I keep at home is wide open, I wonder if I should lock that up too.

[makai]

I assume your machine was stolen in public?

I think from now on I will activate the passwords on machines I take on trips. But the one I keep at home is wide open, I wonder if I should lock that up too.

The machine came up missing while in the care of USPS... it was never delivered. I was thinking of locking up everything, but now I don't know. For sure, anything I ship will be locked. There are no personal stuff on the laptops I ship, so it's just to make a thief a little more miserable.

[JHEM]

There are no personal stuff on the laptops I ship, so it's just to make a thief a little more miserable.

If that's the only comfort you can take from setting passwords, then it's certainly worth the price of admission.

I set ALL the passwords.

For the average thief, the fact that they get the purloined goods home and are confronted with a PW prompt when attempting to turn it on is usually sufficient for them to feel "cheated". If they make a concerted effort and search the internet for ways to remove a power on PW, the fact that I always set BIOS PWs leaves me with the knowledge that short of their spending a great deal of time and money attempting to remove same they've effectively stolen a doorstop.

The HD PW gives me adequate insurance that I'll have sufficient time to change my banking and other important access information before others can access my accounts.

TSA gets to see a blinking PW prompt as assurance that it's indeed a working laptop, anything more will require a search warrant! Nor will one of Kip Hawley's morons ever get their hands on anything of mine outside of my view. Customs gets full access to my X31, the only machine that travels outside the country with me. The X31 is only used as a remote desktop a la' Ed Gibbs and as a storage device for whatever photos I might take on said trip.

In full disclosure I don't generally have to deal with TSA at all.

"Commercial airlines is for losers and terrorists." Homer Simpson.

[dsigma6]

I put a BIOS password on my T23, but I'm sure I'll forget it when the time comes.

[Robbyrobot]

I set ALL the passwords.

For the average thief, the fact that they get the purloined goods home and are confronted with a PW prompt when attempting to turn it on is usually sufficient for them to feel "cheated". If they make a concerted effort and search the internet for ways to remove a power on PW, the fact that I always set BIOS PWs leaves me with the knowledge that short of their spending a great deal of time and money attempting to remove same they've effectively stolen a doorstop.

Nice theory, and it doubtless deters amateurs. In practice, as you surely know, the only thing that's really effective - and that only to protect your private data - is a hard drive password. And even then, replace the HDD and you have a saleable laptop.

The fact of the matter is that no number of passwords can really deter theft - but paying attention to where you leave your laptop alone on a desk can.

[wswartzendruber]

I'm pretty confident in my T60's BIOS password (fingerprinted).