Mac Firmware passwords

For many years now Macs have offered what Apple calls a Firmware Password. This special kind of password needs to be entered before you boot the machine, offering an extra layer of security. This password prevents a hacker from simply booting your Mac using an external drive or optical disc to gain access to the files on your internal drive.

Occasionally a client had a Mac with an unknown firmware password, and couldn’t boot it. (This might happen if the password was set by an employee who no longer worked there.)

Fortunately, this was easy. It wasn’t well known, but simply changing the amount of RAM would remove the firmware password. So I’d open the Mac, remove a memory card, and reboot. The firmware password would then be removed. Then I simply replaced the memory and my client would once again be able to use his or her Mac.

Starting last year Apple switched to a much more secure system for firmware passwords. The new system provides no method for independent techs like myself to remove it. These days, if you need a firmware password removed, you must take it to an Apple store or authorized service facility. Resetting it requires retrieving a special code from your Mac, feeding that code into a special app that app generates an unlock code. The code is unique to each Mac, and Apple has kept a very tight grip on the app that generates the unlock code.

I don’t generally recommend using a Firmware password. If you need your data to be secure, your best bet is to turn on FileVault, the Mac’s built-in encryption feature.

For more details about how the new firmware password system works, I recommend Topher Kessler’s CNET article on the subject.