The down side of hard drive passwords

Hard drive passwords block access to all the files stored on the hard disk in your computer. They offer great security without having to install any software, without having to learn much, without having to spend a nickel and at the minor nuisance cost of entering a single password when turning on your computer. They are more secure than operating system passwords or BIOS-resident power-on passwords. That said, nothing's perfect.

To begin with, not all computers offer hard disk passwords as an option. To see if it's available, you have to get into the BIOS setup/configuration program and poke around. If it's there, it will probably be in a "Security" or "Password" section.

Perhaps the biggest drawback is that the password only comes into play when a computer is turned on. Regardless of how good the protection may be, once the machine is running, hard drive passwords are irrelevant. For laptop/notebook users this means that if your computer is lost or stolen while it's suspended or sleeping, the hard disk password won't protect your files from snooping by bad guys. If a desktop machine offers hard disk passwords but it's never turned off, as many are not, then there's no protection.

The Windows hibernation feature is a gray area. At least some machines do prompt for the hard drive password when waking up from hibernation, but it's the sort of thing you should test on whatever computer(s) you may want to protect this way. I tested an Acer Aspire One netbook and it asked for the password. At least some Dell machines prompt for the hard disk password  ".... each time you resume normal operation from standby mode."  

Of course, you can forget the password.

In a corporate environment the home office techies should have set the Master password which allows them access even when employees forget their User level password. Outside of a corporation, you should be able to set both the Master and User passwords, in effect, giving you two passwords. Remember either one and you're fine. I say "should" because the Acer Aspire One only allows you to set a single password. In contrast, Thinkpads let you set both User and Master passwords.

There is no one right answer for dealing with forgotten passwords. If the hard disk password can be easily bypassed, then it doesn't offer much security. If it can't be bypassed, then the burden falls on the end user not to forget it. We'll examine hacking your way through a hard disk password next time.

Then too, stuff breaks.

If Windows fails to boot, perhaps yielding the infamous Blue Screen of Death, then the hard disk password is not your problem. For Windows to start at all, the password must be provided and validated.

However, if a computer is so dead that nothing happens when the power button is pressed, then having a hard disk password makes things a bit more complicated. In the worst case, such as a motherboard or power supply failure, your files can usually be recovered by removing the hard disk and connecting it another computer. If the hard disk has no password, it can be connected to another computer via a USB port, either with an external enclosure or a special cable. However, a password protected hard disk can't be used externally.  

Connecting a 2.5 inch laptop hard disk to a USB port

I tested this, as shown above, with a 2.5 inch Hitachi Travelstar hard drive connected to an Acer Aspire One running Windows XP. Windows recognized the hard disk, even detecting the make and model. But, it never asked for a password and the drive never got allocated a letter. Windows disk management didn't see the disk at all, but it did show up in Device Manager.

This is consistent with the warning from Hewlett Packard that an external password-protected hard disk can not be unlocked (at least on some of their laptops). It's also consistent with what Steve Gibson said in the December 4, 2008 episode of his Security Now podcast. A locked hard disk will self-identify itself, but not do anything else without the password.

Even if you don't forget the password, the hard drive might forget it. The passwords are stored on the hard disk platters and platters can fail too.

On the upside, the standard allows for two passwords so all your eggs aren't in one basket. Two available passwords lowers the odds of an I/O error on the platter blocking access. Then too, it's possible that the hard disk manufacturers store multiple copies of the passwords on the platters.

But hard disks fail all the time. That's why we all need to backup the files on our computer(s). Regardless of hard disk passwords, all sorts of failures can turn a computer into a paper weight. I plan on writing extensively about backing up your computer in the near future.

If fact, with Defensive Computing, you assume your most important computer turns up missing or useless, and plan for it. I've used hard disk passwords for many years and, yes, a failure with the password can render the hard disk useless, but so too can many other things. Backup, backup, backup.

Another reason to set both the the User and Master passwords is that the hard disk may have shipped from the factory with a default Master password. According to the WikiPedia description of the ATA standard "Most disks support a Master Password Revision Code, which can tell you if the Master password has been changed, or if it still the factory default."  The Adroit Data Recovery Center also refers to a default master password:

So if the Master Password is unchanged, and if one knows the "default factory password" assigned as the master password ... one can then bypass the disk lock easily. For security reason, we will not discuss or release what are the default factory password.

If  multiple users in a household  share a common computer they would all need to know the hard disk password. The only  protection provided in this case would be if the machine was stolen. Separating the logical environments of multiple users on a single machine is an operating system thing rather than a hard disk thing.  

Another downside is that setting, changing and/or removing the password can be confusing. For one thing, there is no standard for the user interface, one BIOS is likely to work differently than another. Removing the password, for example, may require disabling the password feature or it may require you to enter a null password. At least some Thinkpads have different procedures for removing the hard drive password depending on whether it is the same or different from the power-on password.

From what I've seen, the instructions provided by the BIOS setup program are, to be kind, sparse. For example, things like the allowable characters in the password, whether it is case sensitive or not, the minimum length, the maximum length and the like, never seem to be explained. In an earlier posting I mentioned the bug in the Aspire One BIOS that requires entering the password with the Caps Lock key on during startup.

If your computer is stolen, a password protected hard disk may be subject to a brute force attack. We've all seen password prompts which disable themselves after the wrong password has been entered too many times. That doesn't happen with hard disk passwords. If someone is willing to spend the time, they can keep guessing password after password. That's the bad news.

The good news is that it's brutally slow to guess and guess. After a few bad guesses, the system locks up and has to be restarted. The number of bad guesses varies, but seems to always be small. At one point, Dell used three bad password attempts before rebooting. HP has, at times, only allowed two bad password tries. In my testing, the Acer Aspire One allowed three bad guesses before objecting. Hard disk recovery company ADRC says "a power reset must be performed after five guesses".

Hard disk passwords don't involve encryption so they are not as secure as a good encrypting scheme. But, they are much more approachable, which leads to a difficult question: just how secure are hard drive passwords?  

In theory, anyone able to dis-assemble the drive and remove the platters can access to the data on the disk. But, according to Steve Gibson "it's very difficult to do". And direct access to the platters isn't even sufficient, as the drive electronics will still look for the password. You would need to either customize the internal hard drive firmware or zap just the password off the platter leaving all the other data in tact.

Don't' expect any help from the computer manufacturer in bypassing a hard drive password. Lenovo/IBM says

Do not forget your hard disk password! Keep it in a safe place. If you forget your hard disk password, there is no way to reset your password or recover data in the hard disk drive. Neither an IBM authorized reseller nor IBM marketing representative can make the hard disk drive usable.

Elsewhere, Lenovo warns:

If the user's Hard drive password has been forgotten, check whether a master Hard drive password has been set ... If no master Hard drive password is available, or if the administrator forgets the master Hard drive password, then the hard drive must be replaced.

Likewise, Hewlett Packard warns that

"In the event that both DriveLock passwords are lost, the hard drive is rendered unusable . . . There is no "back-door" that can be used to unlock the drive if both passwords are lost."

But what of the hard disk manufacturer themselves?

Hitachi says

" ...  there is no way to bypass the security password feature of Hitachi hard disk drives. If the password is not known or has been misplaced, Hitachi will not be able to assist in gaining access to the data on the drive."

Western Digital wants no part of data recovery. They instead refer you elsewhere.

I've been in contact with two companies that specialize in hard drive recovery and we'll get their take on hacking a hard disk password, next time.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon