How to set your Mac's firmware password (and why you shouldn't)

Want to keep your roommate from posting your nude selfies on Facebook? Concerned that your Mac might fall into the wrong hands? You've already got a secure password on your Mac, maybe even file encryption. What happens if someone boots off an external hard drive?

Setting a firmware password is the solution. It comes with a few consequences and drawbacks, however. Follow along to read about the risks associated with firmware passwords as well as a guide on how to set one for those that think it's still worth it.

Setting a firmware password keeps your Mac from working with another bootable volume without inputting a password. Unlike other Mac passwords that can be reset or deleted, the firmware password remains in an area of persistent memory on the Mac's motherboard.

Here are the step by step instructions for how to do it. Read on for an important note on why it may not be a good idea, however.

To set your firmware password:

  1. Make sure your Mac is powered off then turn it on.
  2. Activate Recovery Mode by immediately holding down the Command and R keys.
  3. Wait until the OS X Utilities screen appears.
  4. Click on the Utilities menu from the menu bar.
  5. Select Firmware Password Utility.
  6. Click on the Turn On Firmware Password...
  7. Enter a new password, verify it and click the Set Password button.
  8. Click on Quit Firmware Password Utility
  9. Click on the the menu.
  10. Select Restart.

OS X Utilities Utility menu

Turn firmware password on

Quit firmware password utility

Set firmware password

Under ordinary circumstances, you won't see the firmware password field appear. The firmware password field is only visible if your Mac is booted by some alternative means, like from an external hard drive, a CD or a DVD, or if you boot the Mac in Recovery Mode or Single User Mode.

Years ago firmware passwords could be easily subverted by simply removing memory (forcing the computer's Extensible Firmware Interface, or EFI, to reset itself). Most new Mac laptops have RAM soldered to the motherboard - but even for those that have removable RAM, that loophole is closed. Apple fixed it starting with 2010 Mac models.

These days your Mac's firmware password isn't easily reset. If you forget it, you're in for a long haul. In fact, Apple only recognizes one official way to reset a firmware password: Bring your Mac in to an authorized Apple Service Provider or an Apple retail store and have them do it there.

So think twice before you use this. But if you do, rest assured that you've employed some of the safest protection you can on your Mac.

Peter Cohen
  • I love the fact that my 2012 MBA is fully protected this way, since the Air won't boot to an external device and my data on the SSD is encrypted with FileVault. If it ever gets stolen, only Apple can undo it, and that's the second place I'd go to inform them it's stolen.
  • I have a friend who bought a MacBook pro from craigslist. It was stolen from a school, and it has a firmware password. It can't do squat. To her defense, she didn't know it was stolen! Kinda sucks for her... Nexus 5... enough said
  • If FileVault is enabled, booting from an external drive won't allow access to one's data, since the whole drive is encrypted. Adding a firmware password in addition to Turning on FileVault sounds like a waste of time to me and could lead to unnecessary complications as pointed out in this piece. Also, I don't trust any type of password protection that can be reset by Apple or an authorized repair facility--if they can do it, anyone else can, given enough determination....
  • Valid point
  • ++ As for the ease of breaking the password, all one needs is a credit card.
  • That price seems like too good to be true for something that will basically knockout that security.
    But am now intrigued, to say the least.
  • Saw this post and I own a mac repair facility and there are quite a few issues presented here and misinformation . 1.) The firmware password is a great tool if apple actually told people buying them to establish one to prevent "anyone " from being able to reboot there Mac hold the option key to access the recovery console wherein they can pull up the firmware utility and create a firmware password . You have a desktop password ?, you would think the firmware utility wouldn't let you add a firmware password without knowing it right ?, wrong it doesn't ask period . So even if you have a desktop password your not safe from this . Apple ignorantly assumes the only firmware passwords being dealt with our established by icloud locks which lock and encrypt the hd with a four digit code and set a firmware password on the logic . So 99.5 perfect of mac users don't have a firmware password and could have there Mac messed with by anyone who chooses too and Apple knows this ?, how do I know this ?. Go into any apple store and reboot a demo mac and hold option key . You won't get a padlock because they have a firmware password . Nope they run all there macs off a disk image and use proprietary software to prevent this issue from happening to them . And they profit from it . The apple store won't just remove a firmware password they require the original sales reciept even for a 2011 mac that May have been sold a couple times since new . What they will allow is you to buy a new logic board for 4-1100 dollars then take your old board unlock it using the hash and resell it to someone else . It's a security feature if they actually you know mentioned doing so when setting up the mac instead of only offering setup of user password during registration leaving a huge gap wherein anyone with physical access can lock you out of your password protected( you would assume) Mac . I love macs and service them daily but am disgusted they both don't educate people on firmware passwords but dam sure protect there own systems from the threat and profit from it happening to users of there products
  • I think the only answer to "Why you shouldn't", should be why is Apple still able to recover user data and hard drives when it's brought to the Apple store? This is a huge privacy concern tho. Appleshould not be able to restore anything, as authorities, or anybody else impersonating yourself could bring it to the Apple store and supposedly gain access to your personal information. If a user cares enough about their privacy to change their firmware password, Apple should care enough to make that data unrecoverable even with their resources.