How secure is the harddrive password when set in bios?

[fefrie]

Just like the title says, I'm wondering how secure the information is when you set a password on the hard drive.

If there is a password on the hard drive, can anyone circumvent the hard drive and still see the information on the drive without breaking it?

Is the password entry method easily breakable using a brute force method?

Any insight would be really appreciated.

Thanks

[RealBlackStuff]

Hard drive password is unbreakable, unless you own a forensic laboratory.
If you set one, make sure NEVER to forget it!

[fefrie]

Excellent,

With your 9000 posts and ibm's 'ultra secure chip technology' (whatever that means) I'll assume that once I set a password on the laptop, the data on the hard drive is 100% secure.

[Orclas]

With your 9000 posts and ibm's 'ultra secure chip technology' (whatever that means) I'll assume that once I set a password on the laptop, the data on the hard drive is 100% secure.

I would myself make the very same assumption on the very same basis, since RBS is some kind of human Encyclopedia Thinkpadia.

I may add that from my (limited) experience of HD locks, brute force is made virtually impossible by the fact that the password prompt is slightly, and increasingly, delayed for each new attempt. That means that 1-5 attempts can be done without much noticable delay, but that already attempt 10 means a bit of waiting. Some further steps up the exponentiality and we're talking first several minutes, then several hours between attempts (and soon days, weeks).

I don't know if above is the case for your rig, but it was on a work Thinkpad (some ten years ago) that I had a HD lock.

[RealBlackStuff]

RBS is some kind of human Encyclopedia Thinkpadia.

Thanks, I like that

I have to be a bit more specific about HD passwords.
If you set one, make sure it is different from any Supervisor or Power-On Passwords, as these can easily be broken.
FYI: the HD password is stored on the HD itself, in an area that is not accessible to Joe Public.
SVP and POP are stored on the motherboard.

[fefrie]

This is the stuff that I need to know that you can't get in a manual!

For simplicity, my hd and POP are the same, but now I'll change them!

[Orclas]

Thanks, I like that

And we like you

Maybe you should put it on your business card!

[FrankL]

Just like the title says, I'm wondering how secure the information is when you set a password on the hard drive.

If there is a password on the hard drive, can anyone circumvent the hard drive and still see the information on the drive without breaking it?

Is the password entry method easily breakable using a brute force method?

Any insight would be really appreciated.

Thanks

A quick google search provides with the following sites that give info on how to break it:
http://<removed>/
http://<removed>/
http://<removed>/

and there undoubtedly are more. They seem to charge anywhere up to 500 USD to unlock a HDD while retaining the data.

If you really want to be secure, use a full disk encryption like TrueCrypt, Microsoft Bitlocker or dm-crypt (*nix)... and even then never let anyone near your notebook while it's power on, in S3 standby or within 30 seconds of being powered off (it's possible to extract the HDD encryption key from RAM in these conditions).

Admin edit: Removed links. Please don't post something like this in the forums.

[ThinkRob]

The hard drive password is secure...

... but ONLY for drives that have built-in drive-level encryption.

For all other drives, to a dedicated attacker it's little more than a sign saying "Please, sir, don't look at my data!"

[fefrie]

So for t42's with the security chip is ok then?

[ajkula66]

I believe that ThinkRob was referring to FDE (Full Disk Encryption) hard drives, and none of the IDE laptop drives that I'm aware of had that option...

As for security of my own data...

a) None of the laptops I travel with has anything valuable on them, ever.

b) I never set any passwords, since I'm not getting any younger and my memory might fail when least desired

c) The machines that reside in my household and contain potentially valuable stuff (at least for myself) are protected by my Second Amendment rights and a PLNA circuit...

[ThinkRob]

I believe that ThinkRob was referring to FDE (Full Disk Encryption) hard drives, and none of the IDE laptop drives that I'm aware of had that option...

Correct.

AFAIK none of the pre-2005 ThinkPads shipped with drives featuring full-disk hardware encryption.

Forget the drive password. Use open-source, software FDE.

[fefrie]

Well truecrypt looks like the easiest solution and FDE sounds like the best protocol for users that have access to the laptops.

I need to keep it simple so if with FDE involves a startup password and nothing else while the laptop is on, then that will provide a simple easy to understand procedure for users, and a reasonable enough level of security while the laptop is on.

The data that needs to be protected resides in a dropbox folder, so I can't have complex instructions on passwords for encrypted folders.

[FrankL]

I've never used TrueCrypt for full-disk encryption, but if you run Microsoft Windows Vista Ultimate or 7 Ultimate, bitlocker is really nice and easy.

When I boot my Windows, it'll ask me to plug in a USB drive with the encryption key into my T43. After that moment, it's not needed any more until the next boot.

Again, if anyone wants to, they'll still be able to decrypt your HDD contents if they can get their hands on your computer unless it's completely powered off for at least a couple of minutes (to be on the safe side). I use full disk encryption because I don't want any potential thieves to get hold of my private data. I make the assumption they cannot unlock windows and extract the fde key from RAM as I keep my thinkpad in S3 standby most of the time when I'm not actively using it.

P.S. @admins of this thinkpad forum: Why are links censored? Is it the legality of bypassing security (DMCA)? What if someone needs to bypass security to access to their own data (e.g they forgot the password)? Is that illegal too according to the DMCA?

Admin note: Replied via PM.

[richk]

Discussions on how to defeat security are not allowed on the forum.

[RealBlackStuff]

Read the Forum rules!

5. Passwords: No discussion on how to defeat the password or Security Chip on thinkpads specifically or lenovo/IBM branded computers in general will be allowed. The structure of the security system and how to best secure a thinkpad, etc. is allowed as long as it does not touch on bypassing such security systems. The judgement of the Admin or Moderator in this regard is absolute. There is no appeal except to the Admin or Moderator involved should your post be deleted or moved out of sight.

[ThinkRob]

I make the assumption they cannot unlock windows and extract the fde key from RAM as I keep my thinkpad in S3 standby most of the time when I'm not actively using it.

FYI: in S3, the machine is still powered, and thus vulnerable to key recovery. If you want to make sure your key is unrecoverable, shut down the machine completely. S4 is only a suitable replacement if the storage used for suspend is also encrypted.

That said, most thieves don't have the patience or hardware to do such an attack. It would be quite cheap and easy to do -- it's not a lack of resources that stops it, but rather that it's even easier still to wipe the drive and pawn the laptop.

[ujav]

So, in a few words, what can this famous Security Chip do?
I don't want to know how to bypass it, just curious how can it helps to strengthen HDD security comparing to other laptops without this chip.

[fefrie]

So, in a few words, what can this famous Security Chip do?
I don't want to know how to bypass it, just curious how can it helps to strengthen HDD security comparing to other laptops without this chip.

Ha, ha, I was thinking the same thing.

I remember somewhere in my brain, IBM marketing the most secure laptops, and blah, blah blah.

Here are some specs I found

P M 735, 512MB RAM, 80GB 5400rpm HDD, 14.1 XGA(1024x768) TFT LCD, 32MB ATI Radeon 7500, 24x24x24x/8x CD-RW/DVD, Intel 802.11b wireless(MPCI), Modem(CDC), 1Gb Ethernet(LOM), UltraNav, Secure Chip, 6 cell Li-Ion battery, WinXP Pro

So I'll ask too. What does this secure chip do? More of a curiosity question now than anything else. Truecrypt FDE is the path I'm moving towards now...

[lukee]

Secure chip can store some special passphrases, passwords and encryption certificates as well as a BitLocker encryption string. Its power is best when using it together with an proprietary security software. The chip will not issue the keys if the laptop was exposed to some HW modification. For example, I can't boot my Dell Latitude D630 laptop with USB flash storage connected because BitLocker recognizes that current HW configuration is not original -> key is not issued -> Boot Manager can't decrypt Windows parition.

The best you can do for your data security:

1) set some strong HDD password in BIOS but different than the Supervisor/PowerOn password
2) install TrueCrypt and setup it for on-the-fly encryption of the whole HDD - use some strong password OR
3) if you have Ultimate or Enterprise edition of W7 or Vista, you can use BitLocker only in case you have Secure Chip with TPM Standard V1.2. If you have TPM V1.1 (T43 series and lower), you can use BitLocker too but you need to remember encryption passphrase (and confirm it before every boot process) or you need to make an USB flash stick which will store the encryption key and which must be plugged in USB port before every boot process.
4) create backups and store them in a safe place (home vault etc.) in case the HDD will fail

[ThinkRob]

lukee gives pretty solid advice.

One additional point to consider: if you're concerned about the cozy relationship between the US government and Microsoft, you might want to consider whether or not to trust closed-source crypto like BitLocker. (That said, TrueCrypt isn't any better if you don't confirm the authenticity of the code your download...)

One more important thing: don't re-use passwords. Anywhere. Ever.

If you do, one Murphey's Law dictates that one *will* get compromised, and that one *will* be one that you use to protect something that you care about.

[FrankL]

FYI: in S3, the machine is still powered, and thus vulnerable to key recovery. If you want to make sure your key is unrecoverable, shut down the machine completely. S4 is only a suitable replacement if the storage used for suspend is also encrypted.

That said, most thieves don't have the patience or hardware to do such an attack. It would be quite cheap and easy to do -- it's not a lack of resources that stops it, but rather that it's even easier still to wipe the drive and pawn the laptop.

You are absolutely right (and I explicited this in an earlier post). It's a trade-off between usability and protection. I use FDE against potential theft of my laptop (in case they are as blind not to notice that my T43 is not worth much any more, or when they steal a bag with my laptop). If people want to get access to the hard disk data, they'll surely be able to. But it's a barrier for the 'everyday laptop thieve / burglar' which is what I want to protect against.

There was another comment about never re-using passwords. Unfortunately, the sheer number of websites which require a password to log in makes it impossible to memorize strong and unique passwords for each of them. So you'll have to resort to either writing them down or making the browser memorize them, both are far from ideal solutions; I wish we'd switch to some kind of public key infrastructure (SSL PKI? GPG?) in the future instead of the flawed X-character password system for authentication.

[mark-ibmtp]

2 cents from a student of security.

Because of the weakest-link principle, practically nothing is as secure as it was designed to be. Sadly, nowadays a large proportion of malware seems to include keystroke logging. If even once such a program was running when you typed a security passphrase, that passphrase is probably in the hands of some very bad actors -- and might be, or become, accessible to others who might wish to break your security.

The policy of "no discussion on how to defeat..." Thinkpad security technology is a surprise to me. In the discipline of security, knowledge of attack techniques is considered to be of great value to making the best security arrangements. You can safely assume that anyone who seriously wants to compromise your security has access to all of the best attacks. No doubt, there are sound reasons for this policy; it does limit the forum as a resource for those who attach much importance to understanding and managing the integrity and confidentiality of their computerized data.

[ThinkRob]

The policy of "no discussion on how to defeat..." Thinkpad security technology is a surprise to me. In the discipline of security, knowledge of attack techniques is considered to be of great value to making the best security arrangements. You can safely assume that anyone who seriously wants to compromise your security has access to all of the best attacks.

I think you're right: Anyone who's got the hardware and expertise to take a serious whack at TPM also probably has access to the requisite CCC presentations and papers.

Then again, I don't make the rules. I can certainly understand the admins' stance -- no need to make it easier for skiddies.

There was another comment about never re-using passwords. Unfortunately, the sheer number of websites which require a password to log in makes it impossible to memorize strong and unique passwords for each of them.

My approach is two-fold: for things that I need to access on multiple (secure) machines, I simply use an MD5 hash of a sentence describing the service that I'm using. Easy to remember, and easy to produce. For everything else, I write down the password in a plain text file on my drive. That means that if my /usr partition or my backups are ever compromised I'm toast -- but the passphrases for those are such that the chance of a successful brute-force attack is basically zero.