[SOLVED] Complexity rules for AMD BIOS password? Why? (Moved)

we will investigate this, but this will most likely not make it in to the next AMD bios update, as we are too far along in the release process to update.

8 Likes

Thanks, that’s good to know! Even if it won’t make it into the next release, it’s great to know that you’re working on this.

I believe you can trigger the password expiration by disconnecting the battery, by the way. If you’re looking for a way to debug this, I mean. As I recall, I was forced to change the password after that.

In my case, it happened with pre-installed 3.03 on 7840U

2 Likes

Refer to [RESPONDED] Complexity rules for BIOS password? Why? (Moved) - #18 by Vlad_Didenko

Do not care for LONGER passwords. Framework should allow users to disable password complexity and expiration enforcement. I want actually to own what I paid for.

3 Likes

I think you may have missed out on one line in @Kieran_Levin 's post.
“Password expiration is not defined behavior so I would like to fix this if possible.”

He spoke of longer passwords after that.

Getting rid of complexity rules would be a nice thing, too. Although that really is a small concern for me, as long as the rules don’t get any worse. At the current level, “password” becomes “P4ssword.” and we’re done. But I guess dropping the rules shouldn’t be hard to do when length and expiration are addressed.

@Kieran_Levin What’s important (imo) would be the password-reuse, though! It’s no good behaviour that the firmware won’t allow me to use a previous password. You can leave a warning in but there are good use cases for reusing a password (e.g. using a stronger, harder to memorize password in critical situations, then reverting to a more relaxed password for secure environments).

(Edit: Thinking about it another time: If you leave the warning in, you need to retain the hash of the more secure password, which is not behavior that I’d wish for in my threat model considerations.)

Nope, I did not miss anything. My general request stands:

allow disabling all of the password enforcement as a whole

It may be easiest programmatically to return systems to the state of no surprise for users.

2 Likes

FW13 with AMD Ryzen. And the expiration unfortunately does not work reliably when the laptop runs out of power (or rather - it reliably expires when the battery runs out :)) so I would rather have the option to get rid of it. (Or at least clearing the password history, which seems to be three previous passwords.)

3 Likes

Having the same problem. Additionally to the bios admin password I also use bios startup password which makes me select a new password approximately every month, not only when entering bios, but also when just booting normally. I have a few pretty good passwords that also can be adopted to fit 10 characters, but having to come up with a new password every month will either lead to unsecure passwords or people forgetting which modification they did this time or both.

I am running a Framework Laptop 13 (AMD Ryzen 7040 Series), BIOS Firmware Version 3.03
Please allow disabling password complexity and expiry as those just ruin the otherwise smooth FW experience!

1 Like

Good news, your issue will be resolved next week with the release of a BIOS update

2 Likes

I’m not so sure about that - there was a bug causing a reset of the bios password on bios update, holding up the bios release, that they fixed, so the release can go out. I don’t think they yet changed the behavior to not do time-based expiration.

So hopefully the next bios update after the one expected next-week-ish, probably a few months later.

1 Like

Wow, I really hope they fix this because I want to buy a FW13 for my son to use for school but the bios password expiration is a dealbreaker. I hope my FW16 bios password doesn’t expire too :grimacing:

Having a bios password is a basic necessary protection in many environments and having the password expire makes it unusable. I’ve never encountered bios password expiration in 25 years of working with laptops & desktops in IT.

4 Likes

We are seeing progress. Thanks.

3 Likes

Thank you, @Kieran_Levin, @Matt_Hartley, and the framework team. Assured once again that made the right choice with buying Framework Laptop!

4 Likes

Absolutely great work, thanks, @Kieran_Levin @Matt_Hartley

This is the best customer support experience I’ve had ever since privately owning a 2007 HP Business Notebook that came with a Business support program where they eventually sent me a contractor technician to install a new mainboard for me into my home when it broke!

No need for that with FW though :smiley: The new password rules work great for me.

3 Likes

Love seeing this, indeed all complexity requirements are gone (and I tested a previously used password and it let me set it). The minimum length of 8 is reasonable (although, if I remember correctly, previous versions did not have it, so I am wondering whether this is where the bios reset issues are coming from – luckily my password was longer than 8 and, for me, the upgrade went completely smoothly).

Still not sure where the maximum length of 64 is coming from, I really do hope that this is just arbitrary and not because they store the plaintext somewhere…

1 Like

Excellent. Installed smoothly, complexity requirements are not there anymore. I hope it won’t ask for a reset on May 7th :slight_smile:

Speedy turnaround for a firmware fix; thank you very much, Framework!

It is also comforting to see that you are hiring the firmware expertise :+1:

1 Like

I’m seeing this behavior on framework 13 amd version

Thinking back on this we should have made the max length longer. But we had to get work done from our bios vendor to increase it from the previous max of something terribly low like 16 characters.

3 Likes

Yeah, it was 10 :smiley: Thank you for these improvements, it really helped a lot.

Just AMD. Solved with bios 03.05. Maybe title can be changed to add “(AMD)” and this topic can be marked as solved?

1 Like

Works like a charm with 3.05. Thanks, Framework team for addressing this!

1 Like