Notebook security is one of those issues most users only marginally think about. Its usually a simple matter of turning on the notebook, entering a username and password, and they are on their way. But, in some corporations, there is a power on password that needs to be entered before the user enters their username and password. The power on password unlocks the hard drive and allows the notebooks to be used. Well, what happens if the user or even the IT department forgets this power on password? In the case of a Lenovo ThinkPad, users rare out of luck.
Lenovo refuses to reset the power on hard drive password, even if the notebook is covered by their warranty. Users are on their own and have to try the Internet for answers.
In an article over at The Register:
Reg reader Shaun P, who put us on to the issue, explains: “When a Lenovo customer forgets their password the firm tells customers to replace the motherboard at their expense. That’s because the password lock-out problem is something that isn’t covered under Lenovo ThinkPad warranties.”
Sure enough, page 19 on Lenovo’s ThinkPad warranty explains that while the “power-on” password can be reset by service agents the same doesn’t apply to supervisor passwords.
Lenovo explained the rationale for this policy in a brief statement.
Lenovo does not reset passwords for customers regardless of warranty status. To do so, represents a potential security exposure.Lenovo entitles warranties based on the system model and serial number combination and not based on a particular registered customer – in which case Lenovo would have no way to authenticate a customer seeking help with a story of a lost or forgotten password. If Lenovo were to reset administrator or HDD passwords by either policy or available procedure, then we would be creating an exposure and undermining the value of the passwords to deter theft and prevent unintended access to data.
So, what is a corporation or end user to do in this case? Follow whatever the corporate password policy may happen to be for starters. If its a personal notebook, don’t write the password on an Post-It note and attach it to the notebook. If you need to write it down, put it on a Post-It note and place it in your wallet or some other secure place.