[SOLVED] Complexity rules for AMD BIOS password? Why? (Moved)

The password expired in less than 12 hours.

Wouldn’t it be reasonable to provide a validity period of at least one month?

1 Like

Umm. Something very similar happened to me after my Framework ran out of battery; some BIOS settings have reset, including the RTC (date and time), and the password was suddenly expired.

However, it seems that ordinarily, the period after which the password expires is 1 month (probably something like 30 days).

Furthermore, as I’ve had to change the BIOS password three (3) times now, the BIOS does seem to remember at least the last three (3) passwords, since I could not use any of the previous passwords. Funnily enough, that was even after the BIOS settings have reset.

Suffice to say, I hate this so much, and the policy requirements combined with the absurd length limit are just wrong. I will confess here that I would absolutely not remember a brand new password each month.

7 Likes

we need transparency and clear documentation of these nasty features please. seriously. this is bad practice. thanks.

1 Like

Thanks for this and all the associated posts.

Thank f"&k I didn’t set a password.

I live in the woods and rarely go to town, and when I do the laptop is never more than a few feet away from me unless at my relatives.

Important data is encrypted so hopefully the worst I would get is a stolen laptop, not stolen data.

However if there is a lock on how many times you can try even 1000, manually not possible in a second,
and else demand new password after 10 attempts.

So is it such a big deal.

Clear BIOS by manual reset would seem a more likely worry, or am I missing something?

@Matt_Hartley
I don’t understand how this is not a support topic - could you elaborate?
Is it because of the phrasing of the original post?
(Edit: Thanks in advance! I don’t mean to complain, it’s an honest question because I think this may have simply been a mistake).

I’ve browsed the support section a bit and I can’t see the difference to a question like this one, for instance, which also mainly addresses BIOS settings/features: [RESPONDED] Linux Ryzen AI support on Framework AMD boards

I would think that a considerable amount of community members raising concerns about the obvious shortcomings of the current BIOS security implementation would make for a high priority support case.

So far, I’ve seen statements about the

  1. Non-compliance with NIST password security guidelines (length, expiry, complexity rules)
  2. Storage of a password (hash?) history of at least 3-10 passwords that survives a BIOS reset
    2a. Suggestion that the password history may be stored in plain text because a character limit is usually a sign of unhashed, plaintext passwords in storage.
  3. Refusal to deploy Framework Laptops inside a business environment (that should be a biggie!) due to the unbearable restraints for IT support that needs to handle BIOS passwords
  4. Community members having to reset their BIOS due to a forgotten password that could not be memorized because the ruleset won’t allow for a secure AND memorizable password, let alone passphrase. And no support article on how to handle that situation.
  5. Community members actually opening support tickets that were escalated to the top of the customer support hierarchy - to figure out if there is a way to disable the password expiry.
14 Likes

Surely a ‘support topic’ is a single request for help with an issue with a purchase.

This is more a query about how the password in the BIOS is implemented and hence a general query.

Of course any purchaser can contact support officially if they have a problem, as no doubt has happened on this issue.

Surely a ‘support topic’ is a single request for help with an issue with a purchase.

This is the first time I have heard of such a rule. But sure, my single request, listed above, is “to allow disabling all of the password enforcement as a whole”.

This is more a query about how the password in the BIOS is implemented and hence a general query.

Nope. This is the community venting and voicing their dissatisfaction with the Framework personnel pretending there is no problem with the BIOS behavior. They moved the support topic to the general discussion and pretended there was no defect when I opened a support ticket over the email as I was not satisfied with the product malfunction.

Of course any purchaser can contact support officially if they have a problem, as no doubt has happened on this issue.

Indeed it did. And the Framework answer was akin to “pound sand”.

8 Likes

My BIOS password has “expired” for the second time. This is complete absurd, dear Framework, please, do something about this!

11 Likes

Every time I’d like to enter BIOS, my password has expired. @Matt_Hartley is Framework even discussing fixing the massive security flaw?

5 Likes

I’m in for asking a fix for this too.

3 Likes

I have always been leary of bios passwords. But I was considering it because the FL16 will be a big purchase for me and I plan on doing a lot of traveling for the next several years.

This situation is really concerning, not so much that it exists, but that It seemingly has not been actively addressed by Framework…

@Matt_Hartley is this being addressed?

1 Like

@ksimuk @CruelSun Both of you are asking the wrong fella. He’s Linux support, not firmware or BIOS/UEFI stuff. @Kieran_Levin is the guy you want. Or potentially @TheTwistgibber since he’s customer support generally. All Matt can do is ask the guys in charge of this stuff and ferry the response back here.

6 Likes

Thank you!

1 Like

Can you share what platform you are experiencing these issues on?
Password expiration is not defined behavior so I would like to fix this if possible.

On newer platforms in progress we are addressing requests to allow longer passwords, which was a previous request from the community.

7 Likes

I was asked to change the bios password two times since I got my fw13 with Amd 7640u in late November. Once it happened in mid/late December iirc. It expired again in late February (this time the laptop had been powered off for some days because I was away and I left it at home, don’t know if this matters). Bios version was 03.03.

That kind of attitude isn’t likely going to get the result you want, he trying to help y’know.

2 Likes

Sorry. I guess I’ll stay away from this…

7840U FW13 has told me my BIOS password has expired twice now and forced me to change. I haven’t gone into the BIOS since a few months ago, but I suspect it’s probably expired again.

My Password has expired several times now. I can’t say it exactly but it must expire every several weeks…maybe 4 weeks…