How To Password-Lock Your Mac’s Firmware

So here’s something that you should do right now. Frankly, I’m surprised Apple doesn’t make this mandatory, given their bragging about security, seeing as if you don’t do this, you’re leaving the biggest security hole on your computer open. Namely, the hole in your window left by the thieves who just broke into your apartment and walked away with your precious Mac.

Setting a firmware password basically stops your computer from booting into anything except what it normally boots into (normally, this is OSX, but if you’ve set up a Linux dual-boot with rEFIt, it’s the rEFIt bootloader, and if you’ve altered your startup disk in System Preferences, it’s whatever startup disk you set. If you had no idea what I said there, assume it’s OSX.)

Specifically, it stops you from issuing any of the following commands at boot-time without entering your password first:

• Boot from CD (press C while booting)
• Boot from Apple Hardware Test (Intel Macs only; press D while booting; on some Macs you may have to have your OSX install disc inserted)
• Boot from NetBoot server (hold N while booting)
• Boot into Target Disk Mode (hold T while booting)
• Boot in Verbose Mode (press Command+V while booting)
• Boot into Single User Mode (press Command+S while booting)
• Reset PRAM/NVRAM (press Command+Option+P+R while booting)
• Enter commands while booted into Open Firmware (PPC Macs only; press Command+Option+O+F while booting)
• Boot into Safe Mode (press Shift while booting)
• Use the Startup Manager bootloader (i.e. to boot Windows; press Option while booting)

And, before we begin, you need to know what models support firmware password protection:

• iMac: all models except the tray-loading G3 (the slot-loading G3 works)
• iBook: all models
• eMac: all models
• PowerBook: all G4 models and the G3 FireWire model
• Power Mac G4 (all models including the Cube, except the original 400MHz model with no AGP slots) and G5
• Any and all Intel Macs (please note that if you have a MacBook Air, you will need a DVD drive from which to boot)

All you need to do to do this is to set your password is run the Firmware Password utility:

• If you are running a version of OSX prior to Tiger, you will need to download the relevant utility from the Apple website.
• If you are running Tiger, the Firmware Password utility can be found on your Tiger install disc under /Applications/Utilities. Copy it to the same folder on your computer, then run it.
• If you are running Leopard or Snow Leopard, you’ll need to boot to your OSX install disc, then choose Firmware Password Utility from the Utilities menu.

From there, click the check box and make a password.

Note that (though they don’t give specifics) Apple states on their site that it is theoretically possible for anyone to change or disable the firmware password if they have administrator access on OSX, any access to any OS9 install that may be on the Mac, or physical access to the inside of the computer. But, theoretically, this should be able (combined with a strong OSX login password and FOR THE LOVE OF GOD DISABLING AUTOLOGIN) to deter potential thieves, whether they’re interested in the data, or interested in wiping the hard drive and using or pawning the hardware.

Meanwhile there’s systems like Prey, a very excellent (and free!) laptop (and Android phone) theft protection system. There’s also FileVault which encrypts your home folder so it cannot be accessed by other users, OSs, or Target Disk Mode, and which I have not turned on because I have heard that it does weird things with Time Machine, and quite frankly my data is more valuable to me than it could potentially be to a potential thief.

Speaking of which, security tip: Whenever you’re doing anything money-related on the Internet (paying bills, using credit cards, doing banking-related stuff), turn on your browser’s privacy mode (InPrivate, Incognito, Private Browsing, whatever your browser calls it). If your browser *coughIE6* is outdated enough that it doesn’t have a privacy mode, you fail at life and you have much worse security problems to worry about, like the fact that you should install some security patches once in a while, or maybe switch to Firefox or Chrome. In fact, I’ve heard that there are some financial institutions that are accidentally recommending that their users do all their online banking while booted to Linux liveCDs so as to be 100% sure that there are no pesky keyloggers trying to steal your identity, which is a great idea, if a little overkill.