I need a BIOS password setting primer

[wild_bill]

I am wanting to set up a BIOS password, but I have not had one before on a Thinkpad so I'm a little green in this area.

I have always hand-loaded all my Thinkpad drivers, and only use the bare minimum, so I suppose this depends on the TPM driver being loaded? What is if's not loaded? (I currently dual boot XP 32 bit and Windows 7 64 bit)

I am a little nervous about potentially screwing it up, after hearing the horror stories about people having to go to extraordinary lengths to reactivate a locked computer, but on the other hand, that does sound good from a security standpoint. - I have never used a computer where you couldn't just reset the CMOS on the motherboard to reset the BIOS password, which should explain why I am a bit apprehensive.

I don't necessarily need to encrypt my hard drive, I just want to use the open source application PREY to find my Thinkpad in case it get's stolen, and I need to set a BIOS password so the would-be thief cannot reformat the hard drive and render PREY a goner!

so what's your best advice?
- thanks!

[ajkula66]

You can set a BIOS or Supervisor password on a completely blank machine, no OS or hard drive is needed.

[richk]

The most important thing is do not forget the passwords you set. Having said that, The most secure thing you can do is to turn passphrase on and set a hard drive password. That is the one thing that is unbreakable, especially if you have an Hitachi drive. Having said that, with a password set on the drive and passphrase on, it will be complicated at best or impossible at worst to get your data off if your machine dies. Take frequent backups. BTW, it has nothing to do with TPM drivers.

[wild_bill]

so why do I need to load the TPM driver at all then? - is that just in case I want to use the fingerprint reader?

[richk]

It also makes encryption faster

[wild_bill]

does setting the supervisor password force you to also set the hard drive password?

I just set the power on password for now, until I learn more.

[TTY]

so why do I need to load the TPM driver at all then?

If you want to use the TPM with the ThinkVantage Client Security Solution under Windows XP, you need the TPM driver.

[TTY]

does setting the supervisor password force you to also set the hard drive password?

I don't think so. I believe they are independent of each other.

[EOMtp]

so what's your best advice?

Short answer:
Set a password in the BIOS for Power-On and HDD ... nothing more.

Longer answer:
It is not in any way clear that TPM + CSS add any "security" beyond what one has with BIOS and HDD passwords, + FDE (full drive encryption).

A BIOS power-on password does precisely what the name indicates. An HDD password locks out the drive and -- if the drive has hardware encryption -- then the plaintext data on the drive cannot be read even with "specialized" drive-reading hardware/software.

The "best" security is achieved with a power-on password + an HDD password on a drive which has automatic always-on hardware full drive encryption. TPM and CSS add nothing of interest or value to that combination. Software-based drive encryption solutions are inferior and far less "disaster-proof" than hardware-based always-on drive encryption.

[TTY]

Short answer: Set a password in the BIOS for Power-On and HDD ... nothing more.

If the OP also defines a supervisor password and locks BIOS with that, he can prevent a potential perpetrator from using the computer if it gets stolen.

[EOMtp]

If the OP also defines a supervisor password and locks BIOS with that, he can prevent a potential perpetrator from using the computer if it gets stolen.

How can anyone get past the required Power-On password? A Supervisor password to lock the BIOS is superfluous if one cannot get past the Power-On lockout.

[TTY]

Consequently, for a single user, i.e., not in a corporate IT-managed computer setting, the addition of a Supervisor password is superfluous.

No. A forum rule prevents me from elaborating.

[EOMtp]

A forum rule prevents me from elaborating.

Okay, but there is no forum rule that prohibits answering the following question with a simple "yes" or 'no": Are you saying that a Power-On password can be circumvented?

[ajkula66]

Yes it can.

The only password that can't be simply cracked is the HD password.

That's all I'm about to say.

[EOMtp]

Yes it can.
The only password that can't be simply cracked is the HD password.
That's all I'm about to say.

Well, that's interesting. We don't have to discuss how, but are you certain your comment applies to the newer Thinkpads, or does it apply only to the older series which use the Atmel chip?

[ajkula66]

EOMtp wrote:

Well, that's interesting. We don't have to discuss how, but are you certain your comment applies to the newer Thinkpads, or does it apply only to the older series which use the Atmel chip?

I am certain of what I wrote. No ifs, ands or buts. No exceptions that I'm aware of.

[rkawakami]

<snip> Are you saying that a Power-On password can be circumvented?

To clarify one thing... The power-on password (aka, POP) can be easily removed on most (if not all) Thinkpad systems as the procedure is well documented in the Hardware Maintenance Manual. It involves removing the CMOS (backup) battery for several seconds and if I remember right, for some of the older systems you also have to short out two pads on the motherboard.

The BIOS (aka, Supervisor) password takes much more time and effort; the hard drive password (aka, HDP) even more. If you are really concerned about security, then set all three passwords but make them different. The reason? If somebody tries to remove the POP by taking out the CMOS battery, that will automatically invoke the SVP whenever the system is turned on (it will essentially be asking for the date and time to be reset). The end result is that the system will not boot any drive until the SVP is provided. Assuming that the SVP is circumvented, then you won't want the HDP to be the same otherwise the data on your drive is exposed.

[EOMtp]

To clarify one thing...

Excellent clarification. Thanks! (The things one forgets ... like what is already documented in the HMM ...)

[wild_bill]

well apparently all of of us forgot something important in this scenario:

if I set the power-on password, for example, a typical thief will try to power on the computer, and be stopped, so how will my geo-tracing program ever run? - it is just a hidden Windows application.

here is a better scenario, I think:

1. turn off the power on password (so thief can get in)
2. make HD the first boot device and enable BIOS (supervisor password) so that cannot be changed and reformat cannot be done
3. enable guest account with no external drive, USB drive, or DVD drive privileges
4. now thief gets into harmless guess account, has fun using facebook or youtube or whatever, while Prey tracking program pinpoints his BSSID down to within a house or two using wifi geolocation database (from google street view)

[TTY]

It's also a good idea to set the computer to ask for a passphrase or a password every time the user wants to enter the Rescue and Recovery Predesktop Area. This can be done with the ThinkVantage Client Security Solution.