K7VMM Bios Password flaw

[wildred]

Originally posted here by nihil
Similarly, you need to keep an eye on column widths and paper size in printed reports. Hey, I wish I had 1$ for every mistake that I have made :D Point is...learn from them.

Good Luck [/B]

Amen to that. I am currently studying computer science and engineering and the most advice and tips that I can get the better. I hope to soon be able to get into a computer firm and actually be productive instead of being a data entry clerk. Again, thanks. FYI, I contacted ECS Group and I will let you know if you want, what their answer is, if I get one back.

[nihil]

Hi Wildred, it is a pleasure to attempt to help someone as polite as yourself. Yes I would be interested in the ECS answer..........please send me a PM or post to the thread.

A couple of other things came to me: your BIOS password can be circumvented by using a jumper switch on the motherboard. So it is only as secure as the physical security that you have. Guess your siblings don't have that skill yet? but I bet they have friends with older brothers & sisters? I would think about locking the case..............I do not like the idea of youngsters with screwdrivers and the case off with the power connected...............kinda scary

Might be an idea to set them up with their own profiles/ids? makes them feel more important and less likely to cause accidental damage You did not mention your OS or how old they are, so I am jumping to conclusions again.

Have a good browse around this site, there are lots of tutorials and interesting stuff

Good Luck

[wildred]

My siblings are 25 and 17 and have no clue what a jumper is thankfully. I also run windows 2000 and have a login password on that as well. My case is actually left open because I change out hard drives frequently, to test for my customers or install windows cor my customers. Also, with all the neon (yes, I do have neon, go ahead and gripe) it tends to get hotter then what it should be, and we all know that AMD chips are notorious for heat issues, even with an upgraded cpu fan etc. Thanks for your time though, ECS btw says they should get back to me within 48 hours, we shall see.

[Noia]

Could be your Mobo only supports 8 characters, and the last one is truncated :P
Try with only 8 or with 10, aslong as the first 8 are correct it prolly will let you through

[nihil]

Hi,

Yep, if they've lived that long they are obviously not in the habit of sticking screwdrivers into powered-up electrical devices

Your problem is obviously physical security, and it seems that there IS access to your machine, and the case is not locked down. An alternative you might like to consider is removeable drive bays? Over here they cost just under £15, but I would have thought you could get them for about the same in $ where you are?

I quite like them, as the frames just screw into your 5.25" bays, and the actual drive fits into a carrier which you just plug in and out of the frame. There is the facility to screw the drive into the carrier, but the whole fit is pretty snug, so you don't have to do that, if it's just a drive you are working on for someone. For security, you just take the hard drives out and lock them up.

A real plus is that they have a front fan that blows air over the surface of the HDD, so if you extract properly, it makes the system cooler. Those 7200rpm drives generate a fair bit of heat!

I was given two of those neons.........haven't done anything with them yet, but I noticed that they have a sound activation capability You surprised me by suggesting that they were a concern regarding heat. I was always under the impression that neon was "cold light"..........I would have looked to cooling 7200rpm HDDs and maybe putting a cooling fan on the videocard, and heatsinks on fast DDR RAM strips first?

I don't know the ECS mobo, but I have seen quite a few instances where the password was limited to 8 characters, and would not even support a "strong" password. That is including symbols, as well as letters & numbers. I am not sure, but I guess that as the BIOS password is pretty much inaccessible, and you only get three goes at it (typically) they did not think it too important.

I did wonder if that last digit might not be some kind of check digit in the BIOS, and the guy who programmed the input screen thought 9 characters...here you go.......seen that sort of thing before.

Let us know how you get on.

Good Luck

Johnno

[wildred]

Ok, this will kinda wrap things up for what has been done to "fix" this issue. I set the password to 8 characters as it will only accept a max of 9.....it wont let you use special characters either for a strong password , which sucks, but thats besides the point. After setting it for 8 characters, it will not work unless I have the 8 correct, so it leads me to think that its only checking the first 8 characters. It also does this with a number only password and a letter only password. Thankfully win2k has the bootup password and that so far prevents the "others" from getting access. If you, nihil, happen to find a link or site that sells those hard drive things you discussed, please mesg me them so I can look into it. It almost sounds like a RAID type setup but def. seems handy to have. Ugh, so much information to learn and so little time, thanks all for your help. I will post the response from ECS when/if I get the answer.

[wildred]

Just to let everyone know, I got an email from ECS..this is what they say.

Hello,

The maximum character you can use to setup a password is "8" so the 9th character is negligible.

ECSUSA Tech Support

Thanks.

[nihil]

Hi Wildred,

Sorry for the delay regarding removable drives...............I am over here in England, so I couldn't just recommend my local store I spoke with a couple of friends and got this:

http://www.mycableshop.com/3rd_level/drawers_IDE.htm

Hope the link works, the outfit is myCableshopInc.

You, and any other interested parties, might like to check out:

http://www.ce-infosys.com

This is the site for CompuSec v4.15, it is a security app. that gives you "pre-boot" authentication and "full hard disk encryption". As it is in the POST sequence, it cannot be switched off by using the CMOS battery or jumper switch. I have not had a chance to look at it closely, so I do not know if it is significantly better than the WIN2k password. I am guessing, but I think it is a straight "know this or it won't start" whereas you can generally get into a WIN2k box as a default or guest user?

The bottom line, as I see it, is that this cuts in after powerup, but before Windows, so it seems to be very much aimed at the physical security situation?

It only runs on NT4.0, 2k, and XP, and has an industrial strength "big brother".

Naturally it is free for private use (they don't call me "nihil" for nothing )

Good Luck

Johnno

I would think that if you use something like this and forget the password...............you are history?............so be careful.

[wildred]

Thanks for getting back to me. That looks like a good idea for me to put on my pc, instead of the bios password. Reason being, I found out that if I put 7 character password only 6 are "
needed". So , essentially my password is getting smaller and smaller and easier to break into. Again thanks.

[D0pp139an93r]

This is not uncommon. Many peices of software, whether they be BIOS or whatever can accept input larger than the field. Usually the entry is just truncated, but occasionally with crapware, like what I have to fix at work, the entry is lost. I'm guessing that the password field is 8 charachters, standard for BIOS's. The first 8 you input go through, nothing afterword. There is almost always an option to have the password protection just for CMOS settings, or for the system itself.