Macbook Password resettable

Hi All, I thought this would be a good place for some advice on this topic as there are a lot of folks here that know tons about security and also about the Mac. I recently read that the macbook password can be reset with the original disk that came with the mac. Hence if I lost my computer or it were stolen, someone could easily reset the password and have access to all of my files...luckily my passwords and other vital info. are encrypted in 1P, so that is not a concern. Anyhow, I learned that with that same disk you can change a firmware setting that will prevent resetting of the password. Do you advise that I make that change? Have most of you?

Thanks!

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Hi EJ. Welcome to the forums!

    EJ Griffin wrote:
    I recently read that the macbook password can be reset with the original disk that came with the mac.

    This is true.

    Hence if I lost my computer or it were stolen, someone could easily reset the password and have access to all of my files...luckily my passwords and other vital info. are encrypted in 1P, so that is not a concern.

    Again, this is correct. As I frequently say (some would observe that I'm overly fond of saying this) we designed the 1Password data format with the knowledge that some people would have their computers stolen. Thus, we built in security to make it resistant to very sophisticated attacks.

    I can (and have) gone on at great length about this. But let me get back to your question.

    Anyhow, I learned that with that same disk you can change a firmware setting that will prevent resetting of the password. Do you advise that I make that change? Have most of you?

    Setting the firmware password is possible and is done for exactly this reason. It makes it more difficult for someone to boot your system from a CD or DVD or external drive.

    But, and this is an important point, if someone has physical access to a machine and is sufficiently determined, they can also get around the firmware password. Clearing the firmware password is possible by doing some hardware manipulation on the machine.

    In the most extreme case (and nobody would really need to go to such an extreme) someone could rip out your hard disk and put in in their own machine.

    So the only complete way to protect the secrecy of data on your disk, should the machine be stolen, is encryption. You already use 1Password for your Internet logins and credit cards and such. You may also wish to look at Knox for Mac, another one of our products that makes it easy to manage encrypted disk volumes. That is what I do for secret data that isn't really suitable for 1Password.

    Personally, I do use a firmware password on my laptop. The intent isn't so much to keep my data protected, but to prolong the time before a thief will replace the operating system. I have installed Undercover, a system that "phones home" once I report the Mac stolen. So the firmware password is to delay the thieves from wiping the machine.

    I'm sorry for the long winded answer. In security matters, things are rarely simple. We do our best to make great security easy and convenient for everyone, but once you scratch the surface, the answers get complicated.

    I hope that this helps.

    Cheers,

    -j
  • EJ Griffin
    edited May 2011
    Thanks for the info.
  • khad
    khad
    1Password Alumni
    On behalf of Jeff, you are quite welcome! :-)

    If we can be of further assistance, please let us know.

    We are always here to help!
  • Penelope Pitstop
    Penelope Pitstop
    Community Member
    A typically excellent response Jeff.

    At the risk of going a little off topic.

    On the subject of disk encryption, I've avoided FileVault up until now due to the Time Machine compatibility issues and reliability scare stories I've read.

    I understand that Lion is improving FileVault to use whole disk encryption and eliminates this problem whilst making Time Machine backups encrypted too. Does this new version of FileVault have any implications for 1PW or DropBox sync?
  • khad wrote:

    On behalf of Jeff, you are quite welcome! :-)

    If we can be of further assistance, please let us know.

    We are always here to help!

    By the way, am loving 1P. Just found the keyboard shortcut for 'go and fill logins'...excellent and also discovered how to deal with a website that requires a Captcha entry.
  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I understand that Lion is improving FileVault to use whole disk encryption and eliminates this problem whilst making Time Machine backups encrypted too. Does this new version of FileVault have any implications for 1PW or DropBox sync?


    Good question. It shouldn't be an issue, but we haven't tested yet. Lion efforts at the moment are going into our new Safari extension. So tentatively I am ready to say that there shouldn't be a problem using FileVault, Dropbox and 1Password in Lion. But everything is still pre-release, so things are subject to change.

    Cheers,

    -j
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    EJ Griffin wrote:

    By the way, am loving 1P. Just found the keyboard shortcut for 'go and fill logins'...excellent and also discovered how to deal with a website that requires a Captcha entry.


    Thank you so much EJ. We really do aim to make security the easy thing to do. I'm really glad to hear that 1Password has not only made things more secure for you but also so much easier as well.

    Cheers,

    -j
  • tatchley
    tatchley
    Community Member
    jpgoldberg wrote:

    Personally, I do use a firmware password on my laptop. The intent isn't so much to keep my data protected, but to prolong the time before a thief will replace the operating system.


    Hello,

    Sorry for resurrecting a dead topic, but I have a question about your password for this. Did you create a random password and keep it in 1Password, or did you invent a secure password and remember it? I am considering which of these methods would be best when creating a firmware password. I know the randomized one would obviously be better and would be accessible through 1PasswordAnywhere, but remembering a less-secure password would ensure that your data could not be lost in the case that your 1Password data was inaccessible and would at least provide some barrier against the thief. While, as you said in a blog post, the average thief would likely not spend all his time and resources cracking one single laptop, I would like still like to know how you proceeded since, after all, you are the expert here.

    -Thomas
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    I used the 1Password Strong Password generator to create a "pronounceable" password, and stored that within 1Password. I picked this format, because on the rare occasions when I need to enter a firmware password, filling or copying and pasting are not options. I find that pronounceable passwords are much easier for me to read off of my phone (or other machine) and type in.

    I've also switched from using firmware passwords to FileVault full disk encryption. I see this is a much more robust way of protecting a machine when the attacker has physical access to it.

    (I recently was traveling with my family and my daughter wanted a laptop. So I dug out a 1st generation MacBook Air, but discovered that while I had done a series of OS updates on it a few months back, I had neglected to put the password for an admin account into 1Password. However, I hadn't set either FileVault or firmware password on it, so I was able to go in and reset the password on the admin account in a matter of minutes.)

    Cheers,

    -j
  • tatchley
    tatchley
    Community Member
    Ah, I see. I'm guessing you use the same method for your FileVault Encryption? Does FileVault require a password everytime you boot up, log into an account, or both? If it's everytime you boot up, wouldn't that defeat the purpose of Undercover since the thief can't get into the computer in the first place? Also, do you use 1Password pronounceable-password-generator for Undercover as well? What about your Dropbox account? Sorry for the barrage of questions. I am mst likely going to purchase Undercover, but shied away from FileVault so the thief could get access to the could gain access to the computer.
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    With FileVault2 the key needed to decrypt the disk is tied to the login passwords of particular users. So once an "eligible" user logs into the system the disk can be decrypted.

    This has the unfortunate effect of making people have to choose between FileVault and Orbicule's Undercover. You can set your system so that no one can get close to the OS without having to know a user's password, but that will force a thief to entirely wipe (or replace) the disk.

    Now that Undercover version 5 has just been released, I am personally struggling with that choice. So Undercover will help me recover a stolen Mac while FileVault 2 will ensure that if the Mac is stolen the data on it will be completely unavailable to a thief.

    (Note that my enthusiasm for Undercover is my own personal recommendation. Although lots of us here like it, it isn't something that we officially endorse.)

    Cheers,

    -j
This discussion has been closed.