How to reset firmware password?

Bernard_Huang
Contributor III

Hi all,

Did something stupid... I used sudo firmwarepasswd -setpasswd to change the firmware password I got the following feedback, so I thought the password change was successful

"
Enter new password:
Re-enter new password:
Setting Firmware Password
Password changed
NOTE: Must restart before changes will take effect
"

But when I type in the new Firmware password at the recovery screen (Command+R), I am padlock locked and can't get in.

I tried the command again to see if I can change it back, but I get an error:
"
ERROR | setPasswdFromCommandLine | Unable to verify password
ERROR | main | Exiting with error: 4
"

This really is my Macbook, it's not stolen. Anyone know how I can reset the firmware password?

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

You'll need to either contact Apple over the phone and provide some kind of proof of purchase information, or bring it into an Apple Store with that same proof of purchase info and they should be able to reset it. Only Apple can do it.

View solution in original post

8 REPLIES 8

mm2270
Legendary Contributor III

You'll need to either contact Apple over the phone and provide some kind of proof of purchase information, or bring it into an Apple Store with that same proof of purchase info and they should be able to reset it. Only Apple can do it.

Bernard_Huang
Contributor III

Thanks. That's what I've been finding within Google.
I'll dig up my receipt and go from there.

maurits
Contributor

Before you head of to the Apple Store: maybe keyboard layout (expect US at firmware prompt) is preventing you from typing the password?

KSchroeder
Contributor

Sorry to dredge up an old thread...but is there any way to PREVENT a user from setting a Firmware password, via script or a profile?

mm2270
Legendary Contributor III

@KSchroeder Only if one is set by you. Meaning, if no password is set for Firmware, a user with admin privs can do a Google search and find out how to use the firmwarepasswd binary to set one in Terminal, or, even if not an admin, if they are able to Command+R boot into Recovery HD, they can set a password there since it boots into a root account.

So the only effective way to stop someone from setting one is to set one ahead of time. It's unfortunate that it works this way, but Apple has been unreceptive to any modifications in this area. We've submitted several requests to them to allow us to lock out some aspects of firmware booting, but allows others without needing the password. Those requests have had no progress at all.

KSchroeder
Contributor

OK, and by doing so that would require the password on every boot, correct? And then since they know the password, they can change it using setfirmwarepassword binary as you mentioned. Ugh.
Consumerization of IT :thumbs_down:

mm2270
Legendary Contributor III

@KSchroeder No. The only time it would need to be entered on every boot was if it was set to mode "full" which means on every startup. If set to "command" it will only be needed when alternate booting, i.e. booting with Option key down, or into Recovery (Command + R), Single User mode (Command + S), etc. (See the firmwarepasswd help page for more info - firmwarepasswd -h) Regular bootups won't require the password and users don't need to know it. For obvious reasons, you won't want to set it to full. Use command only.

My only regret is users not being able to boot to Recovery HD to do some basic self triage repairs. We have many tech savvy users who I would trust to do this, but it would require them knowing the FW password and, as you said, once they know it, they can change it, and subsequently forget it. I've had some users forget their own login password if they haven't logged in in a couple of weeks. I can only imagine how easily they would forget a firmware password only used once every so many months.

KSchroeder
Contributor

OK @mm2270, thanks again for all your input here. Looks like there is a method for pushing this as a Policy as will (via the EFI Firmware payload). Will give it a try!