BIOS Hard Drive Password Security?

BIOS passwords are simple locks. If you don't provide the password, the BIOS simply stops and doesn't continue the boot process.

There are two ways to get around this simple lock:

  1. Clear the BIOS/CMOS memory (usually requires direct motherboard access).

  2. Remove the drive and connect it to another computer (easier).


Update: As Blackbeagle's answer mentions, there is a HDD password defined as part of the ATA specifications. This is also a simple lock, but it's implemented in the drive, so neither of the above steps will bypass it. Some technical knowledge (and possibly some additional hardware) is required. You might be interested in this primer article on HDD passwords.


The BIOS lock is a decent deterrant in any number of movie-plot scenarios: someone with limited technical knowledge, or situations where the attacker can access the computer but doesn't have time or freedom enough to take it apart. If you're just trying to prevent your co-worker or family member from access, this works. However, this is not a significant deterrant for a determined attacker or someone who has unlimited physical access.

The ATA-level lock is a better deterrent, but it isn't perfect. Again, a determined attacker, given enough time, will get your data.

Full-disk encryption is available, and provides better protection. Self-encrypting drives that do this in hardware exist, and there are plenty of software options. Data encryption makes it much more difficult for an attacker to get your data, but there are always ways to get around encryption. (In particular, beware of Lead-Pipe Cryptanalysis.)


With due respect, there is a misunderstanding between BIOS passwords and HDD passwords. Another between password and encryption. Another between HDD security and Security chip on the mobo.

  1. BIOS pwds protect the boot process only: if the password is not provided to BIOS during power on sequence, then the power on sequence is stopped. BIOS pwd are stored on the mobo. At this stage, the disk has not been even accessed. HDD password (actual name is ATA Security) is provided by the drive only, and not by the BIOS. HDD pwds are stored on the drive only. However the BIOS needs to ask the pwd to the user and pass it to the drive (it is not checked either by BIOS). The HDD will then decide if it will unlock the drive. If not no data can be read or write.

  2. HDD passwords don't relate to disk encryption. The ATA Security feature is just a lock/unlock mechanism. Data may be encrypted or not by the system, this is transparent to the HDD controller onboard the HDD. Note that some Hitachi Travelstar disks are always encrypted, but are not protected (the encryption key is not released outside the drive, only the drive knows it). The goal is to scramble the data, and force them to be read by the HDD chip only, but there are provided to everyone. Protection will be available only by mean of ATA Security.

  3. Passwords and credential in general may be stored in simple storage (bare EEPROM) or in smart storage. Bare EEPROM can be read and written. Smart storage is offered by micro controller chips (similar to MMC cards) like the famous "TPM" (on of the Trusted Computing Group standard). TPM may store passwords, or crypto keys safely. They are associated with the computer mobo before being used, so swapping TPM between computer doesn't work. It is not possible to read them. They can be cleared only. Simply said you provide the pwd you want to confirm, the chip says Yes or No but you cannot guess which pwd would leads to Yes. TPM are used by new EFI BIOS to ensure the boot process is safe, signature of the boot software and hardware are stored in the TPM. Should they differ at boot time, the user will be informed and will need to confirm that he/she wants to continue unsafe.


For BIOS boot password, the answer is correct- relatively easy to bypass. Normally short the CMOS down.

For hard drive password locks - I believe that that they normally have a small crypto chip on the circuit board. When you enable them, the ATA spec then sends a signal back to the BIOS that results in control passing to the chip. It then asks for the password. Initially when you set it, it takes the password, encrypts it, and stores it on the drive platters. Subsequently when the drive is booted, the crypto chip assumes control, queries for the password and checks it against the stored copy. If they match, the crypto chip allows further boot.

THERE ARE DRIVE DECRYPTERS. I don't know the pricing, but I've seen them. They plug directly into the drive and can decrypt this sort of protection. It might be possible to swap circuit boards, but that wouldn't work if the drive manufacturer was smart enough to move the crypto chip inside the casing alongside the platters.