6 Things to Know about Open Firmware Password Protection
Macs are very safe computers, but they’re not immune to attacks — or to theft. Luckily, your Mac has some hidden features that can be enabled for extra security. One of these is Open Firmware Password Protection. Here’s what you need to know about it.
What it is
Open Firmware Password Protection is a security feature that protects your Mac at the hardware level. It prevents someone else from booting up your computer using anything other than your designated startup disk: for example, a USB boot disk, an external hard drive, or a boot CD / DVD.
Why you should use it
Your main user account should already be protected with a password. But anyone with physical access to your Mac can still boot the machine using another startup disk, or put the computer into Recovery mode. This presents a security risk, as bad actors may be able to access unencrypted hard disk data, disable Find My, or install a new operating system on a stolen computer. Open Firmware Password Protection stops hackers from using Recovery mode as an easy backdoor to your machine and acts as a deterrent to thieves.
How to enable Open Firmware Password Protection
You’ll need a Mac running on macOS 10.8 or later in order to use Open Firmware Password Protection. To turn it on, follow these steps:
- Start your Mac in Recovery mode by turning the computer on and immediately holding Command (⌘)-R until you see a spinning globe or the Apple logo, at which point you can release the keys.
- The utilities window should appear. In the menu bar, click on Utilities and choose Startup Security Utility or Firmware Password Utility. Then click Turn On Firmware Password.
- Enter your new firmware password in the field provided and click Set Password. Warning: It is very important that you remember this password! Losing it will mean a trip to the Apple Store (see below).
- Close the utility, then click Restart in the Apple menu.
- Your Mac now has firmware password protection. But you won’t notice it until you attempt to boot from another startup disk or enter Recovery, at which point you’ll be prompted to enter your firmware password with a lock icon and a password field.
Warnings and potential issues
Open Firmware Password Protection has one major drawback: If you forget the password, you’ll have to take your Mac to an Apple Store or an Apple Authorized Service Provider to reset it. So to reiterate: Don’t lose that password! If you think you may forget it, write it down and keep it somewhere secure, like a home safe or bank safe deposit box.
In addition, firmware passwords may be inconvenient for users who frequently need to boot from other disks, either because they’re running more than one operating system on their machine or because they’re often performing administrative tasks related to disk partitioning and system recovery. However, such users are likely to know who they are already — and will be able to determine if the extra protection afforded by a firmware password justifies the hassle.
Tips for use
Open Firmware Password Protection works best in tandem with the other built-in security features offered by your Mac. Keep in mind that while a firmware password will prevent unauthorized boots, it still won’t protect you if someone is able to just log in to your user account without a password — and it won’t prevent a thief from removing an unencrypted hard drive and accessing its contents. So make sure that the user account associated with your startup disk is password protected, and encrypt the contents of your hard drive using FileVault. In addition to this, consider taking some extra precautions to make your Mac as safe as possible.
How to turn it off
You may need to disable Open Firmware Password Protection if, for example, you want to sell or give away your Mac. To do this, enter macOS Recovery as described above. This time, instead of immediately seeing the utilities window, you will be prompted to enter your firmware password. Enter it, then go to Utilities > Firmware Password Utility / Startup Security Utility > Turn Off Firmware Password. You’ll then have to enter the firmware password one last time. Restart your Mac and the change will take effect: Firmware password protection will be disabled.
You now know how to set a firmware password for your Mac. Together with a strong user account password and FileVault, this should make your computer safer than ever before.