Did something stupid... I used sudo firmwarepasswd -setpasswd to change the firmware password I got the following feedback, so I thought the password change was successful
Enter new password:
Re-enter new password:
Setting Firmware Password
NOTE: Must restart before changes will take effect
But when I type in the new Firmware password at the recovery screen (Command+R), I am padlock locked and can't get in.
I tried the command again to see if I can change it back, but I get an error:
ERROR | setPasswdFromCommandLine | Unable to verify password
ERROR | main | Exiting with error: 4
This really is my Macbook, it's not stolen. Anyone know how I can reset the firmware password?
Solved! Go to Solution.
@KSchroeder Only if one is set by you. Meaning, if no password is set for Firmware, a user with admin privs can do a Google search and find out how to use the firmwarepasswd binary to set one in Terminal, or, even if not an admin, if they are able to Command+R boot into Recovery HD, they can set a password there since it boots into a root account.
So the only effective way to stop someone from setting one is to set one ahead of time. It's unfortunate that it works this way, but Apple has been unreceptive to any modifications in this area. We've submitted several requests to them to allow us to lock out some aspects of firmware booting, but allows others without needing the password. Those requests have had no progress at all.
OK, and by doing so that would require the password on every boot, correct? And then since they know the password, they can change it using setfirmwarepassword binary as you mentioned. Ugh.
Consumerization of IT :thumbs_down:
@KSchroeder No. The only time it would need to be entered on every boot was if it was set to mode "full" which means on every startup. If set to "command" it will only be needed when alternate booting, i.e. booting with Option key down, or into Recovery (Command + R), Single User mode (Command + S), etc. (See the firmwarepasswd help page for more info - firmwarepasswd -h) Regular bootups won't require the password and users don't need to know it. For obvious reasons, you won't want to set it to full. Use command only.
My only regret is users not being able to boot to Recovery HD to do some basic self triage repairs. We have many tech savvy users who I would trust to do this, but it would require them knowing the FW password and, as you said, once they know it, they can change it, and subsequently forget it. I've had some users forget their own login password if they haven't logged in in a couple of weeks. I can only imagine how easily they would forget a firmware password only used once every so many months.