Despite Apple touting Macs as the most secure computers available, most of the major security options are disabled by default. FileVault 2, for example, is the best way to encrypt your documents and anything else on your hard drive, but you have to spend a few minutes setting it up.
The same goes for keeping your Mac safe from local hackers on public WiFi using a VPN or proxy—you have to subscribe to these services and manually set everything up, not just assume it’s ready for you.
If you’re getting more involved in OS X’s security, you may also be interested in the firmware password, a hardware-level security protocol that will stop people from resetting your password or even reinstalling OS X without first authenticating themselves.
In this tutorial, I’ll explain why the firmware password is a valuable security measure and how to configure it on your computer.
How the Firmware Password Works
Apple began implementing Open Firmware Password Protection in OS X 10.1 with the Open Firmware 4.1.7 update. It was available on select models in early development, but eventually made its way to all Macs.
The current lineup features full support for the configuration of a firmware password, but is known as an EFI (Extensible Firmware Interface) password due to Macs now being Intel-based.
You can think of a firmware password as one more layer between you and a local (able to access the machine with his hands rather than remotely) hacker.
If you read my tutorial on resetting OS X user passwords, you’ll know that if FileVault 2 is enabled, your password can be reset in a matter of minutes and an intruder will gain access to all the information on your computer if he’s using an administrator account. If this individual has a lot of time with the machine, he may even be able to break through FileVault.
A firmware password prevents any of this by adding a hardware-level layer of security and restricting access to different boot options, whether it be single-user, off an external or optical disk, or Recovery Mode.
When combined with FileVault 2, the firmware password makes the Mac monumentally secure. For someone to steal your information, they’d have to remove the hard drive and decrypt it. This also means that losing this password can be disastrous.
Only Apple can reset firmware passwords on newer Macs thanks to the number of logic board integration components, like RAM and batteries. So, before you proceed, make sure you write the password down on a physical notepad just in case.
Enabling the Firmware Password
Before you begin, remember that if your computer doesn’t have removable RAM, only Apple will be able to reset this password if you lose it. With this in mind, here’s how to get started.
Boot into Recovery Mode by restarting the Mac and holding Command-R for about five seconds before it turns back on.
When prompted, select the language and click the right arrow.
Click the Utilities menu at the top of the screen and select Firmware Password Utility.
Click Turn On Firmware Password to set up a firmware-level password on your computer.
Enter the password you wish to use in the New Password field and confirm it in the Verify field, then click Set Password to apply it to the firmware. Remember to use something different than any of your user passwords. I recommend generating a password of at least ten characters for better security.
The Firmware Password Utility will inform you that the password will be applied upon a restart. Click Quit Firmware Password Utility, select the Apple menu in the top left of the screen, and click Restart to finish the process.
Using the Firmware Password
Upon exiting Recovery Mode via a system restart, you won’t notice anything different. The Mac will boot up normally, unless you decided to hold a modifier key and boot using an alternate method.
Should you decide to boot back into Recovery or single-user mode, you will be shown a simple lock icon and asked for the machine’s firmware password, as shown in the screenshot above.
Enter the firmware password into the field, followed by pressing Enter or clicking the arrow icon to the right. The screen might appear to be frozen for a moment, but the computer will eventually make its way to the alternate boot mode provided you entered the correct password.
If you didn’t, the password field will become blank once again. You can enter the password as many times as you’d like, but there is no hint or way to reset it on this screen.
Changing or Disabling the Firmware Password
If you’re selling the Mac or giving it to a friend, you may need to change or disable your firmware password. The process is nearly the same as setting it up.
Once again, boot into Recovery Mode by restarting the computer and holding Command-R for about five seconds before it turns back on. You’ll be asked to enter the firmware password. Do so and press enter or click the arrow to the right of the password field.
When prompted, select the language and click the right arrow.
Click the Utilities menu at the top of the screen and select Firmware Password Utility.
To change the firmware password, click the Change Password button, enter the current password in the Old Password field, and the desired one in the New Password and Verify fields. Click Change Password when finished.
To disable the firmware password, click the Turn Off Firmware Password button. Enter the current firmware password and confirm that you would like to disable firmware-level security by clicking the Turn Off Password button.
Finally, select the Apple menu in the top left of the screen and click Restart. Both changes will be applied once the Mac has been restarted.
A More Secure Future
You should now know how to set a firmware password on your Mac and protect yourself from basic password resets and even advanced command-based hacking methods.
Additionally, you know how to change and disable the password if you ever need to. If you haven’t already, consider enabling FileVault 2 and even configuring a VPN for the coffee shop days so people can’t touch your sensitive information.