Macs have fairly good built-in security systems. They tend to have fewer issues with malware and viruses than some of the other popular computing platforms. But that doesn't mean they're totally secure.
This is especially true if someone has physical access to your Mac, which can happen when a Mac is stolen or is used in an environment that allows easy access. In fact, bypassing the basic security provided by OS X's user account system is a cakewalk. It doesn't require any special skills, just a bit of time and physical access.
You've probably already taken basic precautions, such as making sure that your Mac's user accounts all have passwords that are a bit harder to guess than "password" or "12345678." (Birthdays and your pet's name aren't good choices, either.)
You may also be using a full disk encryption system, such as FileVault 2, to protect your data. Your Mac can still be accessed, although your user data is probably pretty secure with the encryption option.
But there's nothing wrong with adding another layer of security to your Mac: a firmware password. This simple measure can prevent someone from using one of the many keyboard shortcuts that alter the boot sequence and can force your Mac to boot from another drive, thus making access to your Mac's data easier. Using keyboard shortcuts, an unauthorized user can also boot into single user mode and create a new administrator account, or even reset your administrator password. All of these techniques can leave your important personal data ripe for access.
But none of the special keyboard shortcuts will work if the boot process requires a password. If a user doesn't know that password, keyboard shortcuts are useless.
Using the Firmware Password to Control Boot Access in OS X
The Mac has long supported firmware passwords, which must be entered when the Mac is powered on. It's called a firmware password because it's stored in non-volatile memory on a Mac's motherboard. During startup, the EFI firmware checks to see if any alterations to the normal boot sequence are being requested, such as starting in single user mode or from a different drive. If so, the firmware password is requested and checked against the stored version. If it's a match, the boot process continues; if not, the boot process stops and waits for the correct password. Because all of this occurs before OS X is fully loaded, the normal startup options aren't available, so access to the Mac isn't available, either.
In the past, firmware passwords were pretty easy to get around. Remove some RAM, and the password was automatically cleared; not a very effective system. In 2010 and later Macs, the EFI firmware no longer resets the firmware password when physical changes are made to the system. This makes the firmware password a much better security measure for many Mac users.
Firmware Password Warnings
Before you enable the firmware password feature, a few words of caution. Forgetting the firmware password can lead to a world of hurt because there's no simple way to reset it.
Enabling the firmware password can also make using your Mac more difficult. You'll be required to enter the password any time you power on your Mac using keyboard shortcuts (for example, to boot into single user mode) or try to boot from a drive other than your default startup drive.
The firmware password won't stop you (or anyone else) from booting directly to your normal startup drive. (If your Mac requires a user password to log in, that password will still be required.) The firmware password only comes into play if someone tries to avoid the normal boot process.
The firmware password may be a good choice for portable Macs that can be easily lost or stolen, but it's generally not as important for desktop Macs that never leave home, or are located in a small office where all the users are well known. Of course, you need to use your own criteria to decide whether you wish to turn on the firmware password.
Enabling Your Mac's Firmware Password
Apple provides a utility for enabling the firmware password option. The utility isn't part of OS X; it's either on your install DVD (OS X Snow Leopard and earlier) or on the Recovery HD partition (OS X Lion and later). To access the firmware password utility, you'll need to reboot your Mac from the install DVD or the Recovery HD partition.
Boot Using an Install DVD
- If you're running OS X 10.6 (Snow Leopard) or earlier, insert the install DVD and then restart your Mac while holding down the c key.
- The OS X installer will start up. Don't worry; we won't be installing anything, just using one of the installer's utilities.
- Select your language, and then click Continue or the arrow.
- Go to the Setting the Firmware Password section, below.
Boot Using the Recovery HD
- If you're using OS X 10.7 (Lion) or later, you can boot from the Recovery HD partition.
- Restart your Mac while holding down the command + r keys. Keep holding the two keys until the Recovery HD desktop appears.
- Go to the Setting the Firmware Password section, below.
Setting the Firmware Password
- From the Utilities menu, select Firmware Password Utility.
- The Firmware Password Utility window will open, informing you that turning on the firmware password will prevent your Mac from starting up from a different drive, CD, or DVD without a password.
- Click Turn On Firmware Password.
- A drop-down sheet will ask you to supply a password, as well as to verify the password by entering it a second time. Enter your password. Keep in mind that there is no method for recovering a lost firmware password, so be sure it's something you'll remember. For a stronger password, we recommend including both letters and numbers.
- Click Set Password.
- The Firmware Password Utility window will change to say that password protection is enabled. Click Quit Firmware Password Utility.
- Quit Mac OS X Utilities.
- Restart your Mac.
You can now use your Mac as you normally would. You won't notice any difference in using your Mac unless you try to start your Mac using a keyboard shortcut.
To test the firmware password, hold down the option key during startup. You should be asked to supply the firmware password.
Disabling the Firmware Password
To turn the firmware password option off, follow the instructions above, but this time, click Turn Off Firmware Password. You'll be asked to supply the firmware password. Once it's verified, the firmware password will be disabled.