How to set a full-time Mac boot password (i.e. a BIOS password)

14 April 2017, 09:41

Feature head image

Those coming to Macs from the world of PCs might be aware of what we used to call a BIOS password. This was a password set within the motherboard’s BIOS that presented a password prompt as soon as the computer was powered on. Did you know a Mac can utilise a similar password? Read on…

Independent of the operating system, the BIOS password on a PC blocked access to the computer unless the password was typed (although in most cases it could be overcome fairly easily).

Macs have their own firmware password system. Because Macs use FileVault full disk encryption to protect data, its main purpose is to block anybody from booting to the recovery console, or block them from booting via anything that isn’t the main boot disk, such as a USB stick. In other words, once set the firmware password prompt does NOT appear each time the computer boots. It only appears if the user is attempting to do something out of the ordinary.

However, you can also configure the password prompt to appear at all times – whenever the computer is booted, as with a PC’s BIOS password (or equivalent on more recent models).

Bear in mind you’re playing around here with fundamental security settings for your Mac by following the steps below. Be extremely careful when following these steps, and make a note of any new passwords you set, or changes you make.

First follow the steps required to set a firmware password using the recovery console. Once that’s been done, follow these steps.

  1. Open Terminal, which you’ll find in the Utilities folder of the Applications list of Finder.
  2. Paste in the following into the Terminal window and then hit Enter:
    sudo /usr/sbin/firmwarepasswd -setmode full
  3. You’ll immediately be prompted for your macOS/OS X login password, so type it.
  4. You’ll then be prompted for the firmware password, so type it when prompted.
  5. Reboot your computer.

Upon reboot the firmware password prompt will appear, and will now appear each time the computer boots or reboots. It won’t appear when you wake the Mac from sleep or suspend, though.

To turn off the boot-time password prompt, but still leave in place the standard firmware password that will block unauthorised booting from things like USB sticks, or access to the recovery console, again open a Terminal window and paste-in the following:

sudo /usr/sbin/firmwarepasswd -setmode command

Again, you’ll need to type your passwords when prompted, as mentioned in steps 3 and 4 above, and will need to reboot.

For what it’s worth, you can also entirely remove the firmware password when macOS/OS X is booted, via the following command within a Terminal window:

sudo /usr/sbin/firmwarepasswd -delete

Obviously you will need to know the firmware password to be able to do this.

Main feature illustration


Leave a comment...

 
---