Firmware passwords: a mixed blessing

If you want to lock other people out of your Mac completely, and it is a relatively recent model, then setting a firmware password can be a very good choice. Older Macs also offer a similar mechanism, but it is easily bypassed, so doesn’t improve your Mac’s security much at all.

This firmware password ensures that anyone starting your Mac up will have to enter a password. If they let it start up normally, from its regular startup disk, then they will have to enter one of the login passwords, for one of its set user accounts. If they (or you) try to start it up from any other drive, including the Recovery drive, then they will have to enter the firmware password.

So long as your Mac is one of the following or later models, you can use this feature:

  • MacBook Air Late 2010 (MacBookAir3,1)
  • MacBook Pro Early 2011 (MacBookPro8,1)
  • MacBook Pro Retina display (MacBookPro10,1)
  • MacBook Retina Early 2015, 12 inch (MacBook8,1)
  • iMac Mid 2011 (iMac12,1)
  • Mac mini Mid 2011 (Macmini5,1)
  • Mac Pro Late 2013 (MacPro6,1).

You set, change, and remove your password in Recovery mode. To enter that, restart your Mac with the Command and R keys held down.

To set a password, in Recovery mode use the Firmware Password Utility command in the Utilities menu. In the window which appears, click on Turn On Firmware Password, then enter your password, and verify it.

As with all passwords, choose something which is memorable – you are going to have to enter it whenever you want to start up from a different disk, including in Recovery mode – but make it secure and effectively impossible to guess. Before clicking on the Set Password button, write that password down very carefully, and keep that written copy in a safe and secure place.

To change or remove your firmware password, start it up in Recovery mode by holding Command-R, enter the firmware password when prompted, then use the Firmware Password Utility to do what you need.

If you forget your firmware password and cannot find the written copy, you will need to take your Mac to an Apple store or authorised service provider, together with proof of purchase/ownership. They have access to a tool which enables the password to be recovered. This is because your firmware password is stored in its own lockable flash memory chip, which only Apple can access.

On its own, a firmware password will not prevent a thief, for example, from accessing sensitive data stored on your Mac. All they have to do is remove its startup drive, and they can have free access to all your files. To make this fully secure, you must have your startup drive fully encrypted using FileVault.

The disadvantages of using a firmware password result from the fact that, when enabled, you can only start your Mac up in three ways:

  • using its normal startup disk, with one of the available user accounts and its password;
  • into Recovery mode, with Command-R held, after entering the firmware password;
  • by holding the Option key you can select another startup disk, but will then need to enter the firmware password.

If you want to run Apple’s Hardware Test or Diagnostics, or start up in single-user mode, then you will have to start up in Recovery mode first and turn off the firmware password. Your Mac will not start up in Target mode either if a firmware password has been set.

Used in combination, a firmware password and FileVault’s whole-disk encryption are robust protection for sensitive data on your Mac’s storage. They are most valuable for laptops which are vulnerable to theft and ‘loss’ by other means. If your Mac doesn’t leave the office or home, you may well decide that they are not worth the trouble.