[drdaeman]

Isn't BIOS passwords useless?

For non-soldered but socketed BIOSes I think one can just take chip out and put it into your wallet, possibly, covering some pins with some dissolvable insulating substance. For soldered SPI EEPROM chips with known pinout, I think one can reflash the chip afterwards.

[daxelrod]

BIOS passwords are not always useless, depending on model.

I had a Thinkpad T42 on which I managed to set a password for editing BIOS settings that I did not remember.

I the laptop into IBM for repairs to the monitor, and as part of their repairs they needed to get into the BIOS settings (I believe to run a diagnostic). Their solution was to replace the entire motherboard.

[drdaeman]

Well, guess it were hardware types, who performed the repairs, or they just didn't have necessary equipment (an AVR board like Arduino or PC with an old parallel "LPT" port will suffice, hardware-wise) at hand, so it was easier for them to solve it that way. :)

I was 99% positive the same could be achieved by messing with EEPROM. And, indeed, less than 10 minutes of searching yielded this unsurprising result: http://arduino.ada-language.com/recovering-ibm-thinkpad-t42-...

tl;dr: Nope, T42's BIOS password is not secure if you allow anyone with necessary hardware to touch the motherboard for a minute. TPM may (depending on the laptop model and firmware revision) prevent password recovery but will likely not prevent anyone from resetting them - at least this seems to be the case with Thinkpads. Next time I'll clean dust from my X300, maybe I'll remember this thread and check its EEPROM too. :)

So, do not rely on BIOS passwords as a strong security measure.