Once you've guessed, cracked or somehow reset your BIOS password, it's time to think about handling things differently in the future. For starters, consider adding your own BIOS passwords yourself. I've always recommended at least protecting the BIOS configuration with a password. Sure, if it's easy to guess or accessible via a backdoor default, that can defeat the purpose. But, if anything, it can keep your non-technical users from going in and making configuration changes to their systems, locking you out and preventing administrative headaches down the road.
You could also consider adding power-on passwords to critical systems such as servers and laptops. It could be argued that every system is critical if it provides network access or contains sensitive information. (I haven't come across a computer that doesn't meet at least one of these criteria.) This could certainly add some administrative overhead, especially for remote users and servers stored in unmanaged offices or data centers that have to be rebooted occasionally. As I've shown here, adding BIOS passwords is not a foolproof measure, and they may just cause more trouble than they're worth, so proceed with caution. BIOS passwords do offer another layer of security that can buy you time or force an amateur hacker to give up. Bottom line, determine what's really at risk, how BIOS passwords would fit into your organization's culture and politics, and refer back to some alternate recommendations listed at the end of my laptop hacking guide.
BIOS password hacking
Step 1: Guess BIOS passwords yourself
Step 2: Fiddle with the hardware
Step 3: Crack them with software
Step 4: Managing the BIOS password
|ABOUT THE AUTHOR:|
| Kevin Beaver, CISSP, is an independent information security consultant, author and speaker with Atlanta-based Principle Logic LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Beaver has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, (Wiley) and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at firstname.lastname@example.org.
Copyright 2006 TechTarget