How to Set a Firmware Password on a Mac with OS X Mavericks
Mac users in higher security risk situations may wish to enable an optional firmware password on their machines,which offers an advanced level of protection. In short, a firmware password is a lower level layer of security that is set on the actual Mac logicboards firmware, rather than at the software layer like FileVault encryption or the standard login password. The result of setting an EFI password is that a Mac can not be booted from an external boot volume, single user mode, or target disk mode, and it also prevents resetting of PRAM and the ability to boot into Safe Mode, without logging in through the firmware password first. This effectively prevents a wide variety of methods that could potentially be used to compromise a Mac, and offers exceptional security for users who require such protection.
Important: Like any other essential password, use something memorable but complex, and do not forget a firmware password after it has been set. A lost firmware password is unrecoverable on most modern Macs without a visit to an Apple Store or sending a Mac into Apple Support for service and recovery. Older Mac models may be able to use a hardware intervention method to bypass firmware passwords, but these methods are not possible on new Macs without access to removable batteries or memory modules, thus the visit to Apple.
Setting a Firmware Password on a Mac
Setting a firmware password is rather simple, though it’s handled slightly differently in OS X Mavericks than it was in earlier versions of Mac OS X.
- Reboot the Mac, and hold down Command+R to boot directly into Recovery Mode
- At the OS X Utilities splash screen, pull down the “Utilities” menu bar and choose “Firmware Password Utility”
- Choose “Turn On Firmware Password”
- Enter the password twice to confirm, then choose “Set Password” to assign to assign that password to the Mac – do not forget this password or you may lose access to the Mac
- Choose “Quit Firmware Password Utility” to set the EFI password
With the firmware password set, you can reboot the Mac as usual. For any standard boot or restart, the Mac will boot into OS X as usual, and go directly to the normal OS X login screen.
When / Where the Firmware Password is Visible
The firmware password will not appear during a regular restart or boot of the Mac, it only becomes mandatory when the Mac is attempted to boot from alternate methods. This may be in situations where a Mac is attempted to boot from an OS X installer drive, an external boot volume, Recovery Mode, Single User Mode, Verbose Mode, Target Disk Mode, resetting the PRAM, or any other alternative booting approach that will summon the rather plain looking firmware password window. There are no password hints or additional details provided, only a simple lock logo and a text entry screen.
An incorrectly entered firmware password does nothing and offers no indication of login failure except that the Mac won’t boot as anticipated.
Note that all modern Intel-based Macs refer to firmware passwords as EFI (Extensible Firmware Interface) passwords, while older Macs referred to them as Open Firmware. The general concept remains the same, just different hardware.
Should You Use a Firmware Password on Your Mac?
Most Mac users will find a firmware password an unnecessarily heightened security precaution, and using this feature is best limited to Mac users in higher risk environments where having maximum security is a requirement. For the average Mac user, a standard boot login authentication and screen saver password is usually sufficient protection, while enabling FileVault disk encryption can offer additional security benefits to users who want their files and data protected from unauthorized access. FileVault can also be used as a means of preventing manual resetting of account passwords on Macs within higher security risk environments, but as several readers pointed out in the comments, the firmware protection should also be used in high security situations.