4

Is password hashed before saving to CMOS?
Which hash algorithm is used?
How much storage is dedicated for passwords?

What is about passwords of SSD with AES?
Does BIOS save it inside drive (just pass it to device for further processing)?

Maxim
  • 193
  • 1
  • 7
  • 3
    This contains multiple questions that could each have multiple answers. – Xander Dec 03 '16 at 00:27
  • In its current form, this is too broad. However, it could be a good question if it was limited to a specific product (or a specific product line). – S.L. Barth Dec 03 '16 at 11:15
  • @Xander All of that is related to "boot protection and boot passwords safety". Without physical access to hardware it makes sense and significantly related to each other. For example SSD password prevents booting of the system or changing parameters of BIOS. If passwords are stored in clear text in CMOS then it is obviously bad. And in some cases any malicious software can dump it. – Maxim Dec 03 '16 at 12:48
  • I am fairly sure virtually no BIOSes hash the CMOS password. It is stored in plaintext in the NVRAM area, which is either battery-powered CMOS RAM (on very old systems) or flash (on almost everything else). – forest Dec 21 '18 at 04:00

1 Answers1

6

Is password hashed before saving to CMOS?

Depends on the BIOS.

Which hash algorithm is used?

Depends on the BIOS.

How much storage is dedicated for passwords?

Depends on the BIOS.

What is about passwords of SSD with AES? Does BIOS save it inside drive (just pass it to device for further processing)?

There are a lot of different technologies for SSD encryption with AES, some of which may involve the BIOS. If it is using Real Encryption (TM), as use of the term "AES" implies, then the password should not be "saved inside the drive". Sometimes it's just a lock rather than real encryption, though, in which case the password, or a hash of it, is saved somewhere. It depends on the BIOS and SSD.

DepressedDaniel
  • 1,240
  • 7
  • 8
  • Let's say ASUS N750JV notebook and Gygabyte AWARD licensed BIOS. SSD - Samsung with AES-256. If it is not in controller of SSD where it is then? – Maxim Dec 03 '16 at 01:08
  • @Maxim Ofc the controller should get it from the BIOS. But it should not be *saved* (i.e., written to) the storage of the SSD. The downside of using proprietary encryption is that it is very impractical to check the vendors claims about what the encryption is supposed to be doing. – DepressedDaniel Dec 03 '16 at 01:33
  • I mean to validate password we have to compare it in some way with original one. Of course we can decrypt first sector and validate checksum. But checksum also should be stored somewhere. – Maxim Dec 03 '16 at 12:46
  • If the SSD is just using ATA lock with `SECURITY_SET_PASS`, then it's just 32 bytes of ASCII stored as plaintext on the drive and accessible to drive firmware. Hopefully any Opal-compliant drive will be doing encryption properly and not storing the key, just using it to decrypt the master key. – forest Dec 21 '18 at 04:19