Oh my god. Hasn’t happened to me yet, but this is absolutely insane.
I’ll quote from the NIST Guidelines again:
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).
I think you are right, and my understanding is that they actually licensed the source code, so they are able to make any changes they want.
Fingers crossed. I hope they understand that it is actually a high impact issue. Once the passwords start expiring for everyone, people start adding some random bs and then forgetting them…
Does it say InsydeH2O or Insyde at the top of your BIOS screen?
Last I read, the BIOS firmware is licensed from Insyde Software - Wikipedia. I don’t know if it’s different on newer boards.
Congratulations to @FrameworkPuter for their exciting launch event yesterday, including the unveiling of the latest InsydeH2O-powered Framework 13 laptops featuring the AMD Ryzen 7000 series and 13th Gen Intel Core CPUs!
Add my name to the list of villagers hoisting torches and pitchforks against the password policies embedded in the Framework 13 (AMD 3.03) BIOS.
While I’m in agreement with all the above posters’ arguments, I’m of the opinion that since this is a sold product—as opposed to rented, leased or issued by some entity—with the transfer of funds, ownership—along with its responsibilities in addition to its rights—has passed to me. Therefore, FW has no right or basis to dictate—and enforce—device security policy to me. They meet the definition of tyrant for that.
In the real world where I live, I use a BIOS password the render the device worthless to common garden-variety burglars. Not even in my worst dreams are government agents (or worse, foreign government agents) trying in break into my laptop when I’m not home. (To mitigate that, I use full disk encryption anyway.) I just want the boot password to effectively brick the device should some druggie burglar come a calling.
But perhaps more importantly, I don’t need or want a memory and typing test before coffee in the morning.
I have been happy, nay, delighted in every way with my FW13 and the company. Which only makes this mistake all the more glaring. And given what little I know of the company by their propaganda, erm… I mean, marketing materials… it seems to go against both the principles and the principals of the company.
So outraged peasants arise against the tyranny of the enforced 10 character maximum and 30-day forced rotation!
Here is an experience with the AMD 13-inch unit I got:
I was very excited to get the Ryzen 7840 model until about three weeks later it demanded the BIOS Supervisor password change, not allowing the boot to proceed.
I changed the password, but in the process, the BIOS enforced the uniqueness of about the last ten passwords and the complexity requirements. Which, is mind-blowing, undocumented, and unwelcome. Security experts advise against these practices.
Naturally, I thought, such a drastic and undocumented feature was easy to turn off.
Wrong.
It took SIX communications with Framework support to get somewhere. In the process they either did not care to read the question or did not want to address the question. Those exchanges included Framework’s Head of Global Customer Experience.
The final result:
Hello Vlad,
This case was reviewed with our Engineering team and we can confirm that it is not possible to remove the enforcement of the BIOS password parameters.
Regards,
Framework Support
Wowsers
The password “expiration” did not yet happen again. But I can not imagine any large-scale purchaser would be happy to manage a mess these “features” will create at a scale. Attached are some illustrative images.
On a server: any kind of request should be limited. Even if the password is not stored in plain text, if the server lets me upload a gigabyte of password data, that’s a gigabyte of data the server will need to hash and an excellent entry point to make your DDoS attack super effective. A generous limit, like 128 characters is obviously nicer than PayPal’s 20, but there has to be a limit.
In a BIOS: this is very low level code, it’s not guaranteed that memory allocation is possible nor that you can store much data in BIOS memory, there has to be a bound. Arguably, 10 characters is too low, but don’t expect 1KB (although I guess they could hash it for the storage property, but it still has to have a limit anyway).
I’ve been considering deploying frameworks in my corporate environment. We mandate bios passwords and custom secureboot keys. This issue is disqualifying until it is resolved.
Voicing my concerns here as well: the complexity requirements is both arbitrary and inadequate! Maximum 10 characters but has to have every kind of characters, have to change every once in while…
I want to set a password (in correct battery staple horse style) for an actual secure Secure Boot set up, but this is keeping me away from it completely. Even if I could set such a password, the fact that I have to change it to something else in 3 weeks is insane.
I hope this gets fixed with a BIOS update, was very disappointed.
Framework 13 Laptop AMD based, just wanted to remove my set bios password the other day. When i first managed to enter the settings area by providing this already set bios password, it immediately showed that this very password apparently expired and that I needed to provide a new one. I have never seen this kind of dialog box before ever and wasnt even aware that the bios password could expire at all or that there were expiry settings somewhere (where exactly?).
in this immediate password change enforcing dialog, i could not at all in no way like remove the password as a remedy, provide empty/no password as the new setting. So i needed to first provide an intermediary password temporarily first, and then go into the uefi bios security settings and re-set the admin password once more any only there I could leave the new password empty, thus removing my password for uefi bios all together completely.
any ideas on this matter? very odd to me. also this 10character limit max etc (other thread).
thank you.
as I have never seen this expiry before, round about when after what time spans? or login attempts, counters? does an admin password expire? any ideas? thank you.
Maybe after 1 or 2 months? I’m not really sure. I received my FW13 AMD in October and it has made me change it last month when I went into bios.
I then went into bios some time later and forgot what I changed it to. After I dealt with that anger, I found the mainboard reset procedure and cleared the password and just left it disabled now.
Umm. Something very similar happened to me after my Framework ran out of battery; some BIOS settings have reset, including the RTC (date and time), and the password was suddenly expired.
However, it seems that ordinarily, the period after which the password expires is 1 month (probably something like 30 days).
Furthermore, as I’ve had to change the BIOS password three (3) times now, the BIOS does seem to remember at least the last three (3) passwords, since I could not use any of the previous passwords. Funnily enough, that was even after the BIOS settings have reset.
Suffice to say, I hate this so much, and the policy requirements combined with the absurd length limit are just wrong. I will confess here that I would absolutely not remember a brand new password each month.
@Matt_Hartley
I don’t understand how this is not a support topic - could you elaborate?
Is it because of the phrasing of the original post?
(Edit: Thanks in advance! I don’t mean to complain, it’s an honest question because I think this may have simply been a mistake).
I would think that a considerable amount of community members raising concerns about the obvious shortcomings of the current BIOS security implementation would make for a high priority support case.
So far, I’ve seen statements about the
Non-compliance with NIST password security guidelines (length, expiry, complexity rules)
Storage of a password (hash?) history of at least 3-10 passwords that survives a BIOS reset
2a. Suggestion that the password history may be stored in plain text because a character limit is usually a sign of unhashed, plaintext passwords in storage.
Refusal to deploy Framework Laptops inside a business environment (that should be a biggie!) due to the unbearable restraints for IT support that needs to handle BIOS passwords
Community members having to reset their BIOS due to a forgotten password that could not be memorized because the ruleset won’t allow for a secure AND memorizable password, let alone passphrase. And no support article on how to handle that situation.
Community members actually opening support tickets that were escalated to the top of the customer support hierarchy - to figure out if there is a way to disable the password expiry.
Surely a ‘support topic’ is a single request for help with an issue with a purchase.
This is the first time I have heard of such a rule. But sure, my single request, listed above, is “to allow disabling all of the password enforcement as a whole”.
This is more a query about how the password in the BIOS is implemented and hence a general query.
Nope. This is the community venting and voicing their dissatisfaction with the Framework personnel pretending there is no problem with the BIOS behavior. They moved the support topic to the general discussion and pretended there was no defect when I opened a support ticket over the email as I was not satisfied with the product malfunction.
Of course any purchaser can contact support officially if they have a problem, as no doubt has happened on this issue.
Indeed it did. And the Framework answer was akin to “pound sand”.