OS X Yosemite (design promo, Finder icon 001)

If your Mac is used by others, you should increase your security to prevent it from starting up from storage devices other than a designated startup disk.

Thankfully, you can easily do this by setting a firmware password on your computer. This will ensure that no one can boot your Mac using a bootable external hard drive, CD/DVD or USB thumb drive with a usable copy of the operating system on it.

As a nice bonus, no one will be able to mess with your Mac using OS X’s built-in recovery tools without knowing the firmware password. This tutorial will teach you how to set a firmware password in OS X Recovery Mode.

Before we get to it, keep in mind that you cannot reset a forgotten firmware password.

Therefore, write down your firmware password and keep it in safe place. If you forget it, you will need to schedule a service appointment with an Apple Retail Store or Apple Authorized Service Provider to unlock your computer.

Which Macs support setting a firmware password?

You can set a firmware password on the following Mac models:

  • MacBook Air (Late 2010 and later)
  • MacBook Pro (Early 2011 and later)
  • MacBook Pro with Retina display (all models)
  • MacBook (Retina, 12-inch, Early 2015)
  • iMac (Mid 2011 and later)
  • Mac mini (Mid 2011 and later)
  • Mac Pro (Late 2013)

If your Mac isn’t listed, protect yourself by creating a user account password to prevent others from logging in and enable full disk encryption with FileVault.

How to set a firmware password on your Mac

1) In the Apple menu choose Restart, or power on your Mac.

2) As your computer restarts, hold down the Command (⌘) – R combination right after hearing the startup chime and hold the keys until the Apple logo appears.

OS X Recovery Mode keystroke image 001

Tip: If you own a Mac notebook, press the built-in keys because a wireless keyboard may not register keystrokes at boot time.

3) The OS X Utilities window should appear after a few minutes. Don’t click any options in the window and instead choose Firmware Password Utility from the Utilities menu.

Recovery Mode OS X Utilities window Mac screenshot 001

4) You should now see the Firmware Utility window. Click the Turn On Firmware Password option to proceed.

5) Type in a desired firmware password, and re-enter it in the Verify field.

6) Confirm your choice by clicking the Set Password button.

7) Click Quit Firmware Utility to close the window.

8) Click the Apple menu and choose Restart.

Now when you Mac starts up, your firmware password will be active.

Turning off or changing firmware password

To turn off your firmware password, or change it, just boot into OS X’s Recovery Mode by following the instructions above. Then, choose Firmware Password Utility from the Utilities menu and click Turn Off Firmware Password to disable it or Change Password to change your Mac’s firmware password.

Starting up the Mac protected with a firmware password

Your Mac will start up normally from its startup disk and you will be presented with the usual login window where you enter your user account password. As mentioned, a firmware password gives you another layer of security, preventing anyone from booting the computer from any other disk other than your designated startup disk.

If you attempt to boot your computer from a USB thumb drive or an external disk, your Mac will display a lock icon with a field to enter the firmware password.

Mac firmware lock icon screenshot 001

Click the password field, enter the firmware password and press Return to unlock your Mac and continue starting up the computer from a non-startup disk.

Firmware-based passcode lock and Find My Mac

Also worth mentioning: enabling the Find My Mac feature in System Preferences → iCloud → Find My Mac and then locking your Mac remotely in the free Find My iPhone app will basically set a firmware-based passcode, which will work to your advantage by preventing unauthorized people from starting up the computer.

Find My Mac unlock passcode Mac screenshot 001

To unlock your Mac that has been locked from the Find My Mac app, enter the four or six-digit lock passcode you created. Make sure to write down the Find My Mac lock passcode. Locking the computer through the Find My Mac app sets a firmware-based password, so forgetting it will require you to schedule a service appointment with Apple.

Troubleshooting your Mac in Recovery Mode

Recovery Mode and Internet Recovery give you access to OS X’s built-in recovery tools which permit you to perform these maintenance and troubleshooting tasks:

Related tutorials

Check out these resources dealign with a myriad of ways you can start up your Mac:

For even more how-tos, browse our complete archive of Mac tutorials.

Need help? Ask iDB!

Not sure how to do certain things on your Apple device? Let us know at help@iDownloadBlog.com and our future tutorials might provide a solution.

Submit your how-to suggestions at tips@iDownloadBlog.com.

  • Nolan I.

    Uhm I’m pretty sure all Macs support firmware password.

    It works on my PowerBook. From 2001.

  • Stephen Jakubiec

    If your device is stolen and you have firmware lock turned on… Find my mac will not work. You’ll want your device partially accessible for the thief to connect to Wifi so it can be found.

    • :D

      Yh that’s why it’s a gd idea to set up a guest account

    • Gary le

      Most thieves will not connect to wifi after stealing it right?

      Next question, so if i use a regular password/pin and someone can use a recovery usb thumb drive and reformat the mac whens its in sleep/shutdown?

      • Mark S

        Many thieves are stupid and do connect. Lots of stories about them getting busted this way.

  • :D

    I did this just a few days ago – can’t believe I never knew about it before. Apple should encourage users to set it up when they first set up their computer.

    • Imagine millios of dumbs that are created and forget the password

      • :D

        True but apparently apple can reset it if you can provide proof of purchase

      • That would be not a problem in US or Europe. But not in most of countries. For example I live in Kazakhstan. And there’s no support for these “non-guarantee” situations. I even can’t contact Apple by phone

  • steiney

    Is the author saying that, without a firmware password enabled, there are one or more methods of bypassing the admin account password and filevault?

    • Chuck Finley

      You can boot a Mac into recovery mode without having to enter an admin password and from there you can reinstall OS X, deleting all your data, so yeah.

      • steiney

        Can an attacker only delete the admin account’s data, or can an attacker also read/write the data? I would imagine only delete, or else what would be the point of the Filevault encryption?

      • Chuck Finley

        An attacker wouldn’t be able to read/write any data to a Filevault protected volume, however once you’re in recovery mode it’s quite easy to delete everything on a Filevault volume using Terminal.

        I’m not sure if this has changed or not though, I would have thought that the Terminal commands needed to do this would require an admin password.

      • steiney

        Okay, well that isn’t too much of a problem for me. I follow the 3-2-1 backup method, so I don’t have to worry about losing my data forever. Thanks for the info and clarifications!

      • Chuck Finley

        Yeah, backing up your data is definitely the best way of staying safe! No worries man!