Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

ThinkPad NotebooksThinkPad: X Series Laptops
All Forum Topics
Options

34 Posts

06-24-2011

usa

25 Signins

164 Page Views

  • Posts: 34
  • Registered: ‎06-24-2011
  • Location: usa
  • Views: 164
  • Message 1 of 20

HDD Password: no special & upper case characters? Lenovo please respond!

2012-01-06, 21:53 PM

I'm trying to set a Hard Disk password on a new X220 with an INTEL 320 SSD (which has built in AES encryption with ATA Password). Yet only lowercase and numbers are accepted for the password (this means strong passwords cannot be created). Lenovo, how can you sell a BUSINESS laptop for use in a corporate environment and not provide adequate security by allowing basic things like special characters and upper-case letters in passwords?

 

Is there any thing that can be done to fix this? How can I secure the data on the SSD from theft etc?

 

By the way I reformatted and built the drive as UEFI boot only for Windows 7. So it doesn't matter whether the drive is set to Legacy or UEFI only. It still won't accept upper-case nor special characters in "BIOS" settings passwords.

Reply
Options

34 Posts

06-24-2011

usa

25 Signins

164 Page Views

  • Posts: 34
  • Registered: ‎06-24-2011
  • Location: usa
  • Views: 164
  • Message 2 of 20

Re: HDD Password: no special & upper case characters? Lenovo please respond!

2012-01-09, 0:05 AM

Bump

Reply
Options

1 Posts

01-12-2012

USA

1 Signins

20 Page Views

  • Posts: 1
  • Registered: ‎01-12-2012
  • Location: USA
  • Views: 20
  • Message 3 of 20

Feature Request: ability to create strong harddisk-passwords

2012-01-12, 20:42 PM

I bought a Lenovo Thinkpad X220 laptop because I thought the laptop was oriented for "professional" business users. An important necessity for a business use computer is security. BASIC security involves being able to create a strong password, which means having the ability to use a full character set of Uppercase (e.g., H, R, E) & Lowercase (e.g., h, r, e) letters, Specialcase Characters (e.g. $, +, ?), and Numbers (e.g., 4, 5, 6).

 

I have an Intel 3rd Generation SSD in the X220 that has built-in encryption. To activiate the encryption I need to set an ATA Password (i.e., a harddisk password). Yet the Lenovo BIOS/UEFI only allows the use of Lowercase letters and Numbers during the creation of this password. Which means any passwords created are not as strong as they could be.

 

PLEASE fix this in future models ASAP! I will literally buy another X220 later this year if you make a new model that allows strong harddisk-password creation in the BIOS/UEFI. Security is a MAJOR problem in today's computing envoironment, especially in business environments. I applaud how Lenovo gives users the ability to disable USB ports, Webcams, Microphone, etc in the BIOS. But I was very disappointed that proper attention was not given to such a basic security practice as being able to use full character sets in harddisk-password creation. ESPECIALLY with the introduction of SSD built-in encryption, I think Lenovo needs to get on this and make this change to BIOS/UEFIs in Thinkpads for security reasons.

 

I'd appreciate a response from Lenovo Staff, hopefully with acknowledgement of the problem and some indication that future Thinkpad models will change this weakness in the BIOS/UEFI and allow strong password creation.

 

Thanks for the opportunity to express this important Feature Request.

Reply
Options

11860 Posts

01-02-2010

United States of America

40160 Signins

422554 Page Views

  • Posts: 11860
  • Registered: ‎01-02-2010
  • Location: United States of America
  • Views: 422554
  • Message 4 of 20

Re: Feature Request: ability to create strong harddisk-passwords

2012-01-12, 22:43 PM
If you are using passwords longer than 7 characters, you have "passphrase" turned on. If passphrase is turned on, the PW stored on the disk is a hash value that is based on the scan code of the keystrokes. I won't go into much detail because of rules about allowable content, but I will say that it is a 1-way hash, so there is no way to get from the hash value back to what you entered. The hash of "abc" is as secure as the hash of "R25$%aZrtY6". The hash is the same length. The allowable characters need to be characters that can be mapped to any language's keyboard.

Rich


I do not respond to requests for private, one-on-one help. Your questions should be posted in the appropriate forum where they may help others as well.

If a response answers your question, please mark it as the accepted solution.

I am not an employee or agent of Lenovo.
Reply
Options

6849 Posts

10-29-2009

United States of America

17782 Signins

165144 Page Views

  • Posts: 6849
  • Registered: ‎10-29-2009
  • Location: United States of America
  • Views: 165144
  • Message 5 of 20

Re: Feature Request: ability to create strong harddisk-passwords

2012-01-13, 17:52 PM

This is not a security problem.  The hardware does not let you perform a dictionary attack, because it will shutdown after 3 wrong guesses, then you have to reboot.  Assume you invented an automated attack that did 3 guesses in 3 seconds and then rebooted which takes ~6 seconds to get back to the HDD password screen.  So 3 guesses in 9 seconds, or for simplicity sake lets say each guess takes 3 seconds.

 

Let's also say you have a strong password with 8 characters that include a-z and 0-9 or a total of 36 possible characters.  So the total number of possible passwords is 36^8 which is more than 2 trillion.  At a rate of trying each possible password at 1 every 3 seconds, you are looking at about 900 billion seconds, or 600,000 years.

 

This is not like a Windows password, where you can take the SAM file (which contains the password hashes) and attack it with a supercomputer which is capable of making billions of guesses a second.  That's why Windows passwords need to be much more secure and include special characters, capital letters, and longer lengths.

 

There are technical reasons why special characters can't be accepted by the HDD, but I won't go into them here.  They simply aren't needed from a security perspective.

Reply
Options

4 Posts

12-22-2009

Israel

6 Signins

37 Page Views

  • Posts: 4
  • Registered: ‎12-22-2009
  • Location: Israel
  • Views: 37
  • Message 6 of 20

Re: Feature Request: ability to create strong harddisk-passwords

2012-08-01, 9:46 AM

I'm searching for more in-depth technical documentation for the hard disk Master/User password feature. I remember finding such a document back in 2004 when my then-company migrated to ThinkPads, but so far my searches have come up empty. Can you point me to proper documentation about the encryption technique used?

 

 

Reply
Options

11860 Posts

01-02-2010

United States of America

40160 Signins

422554 Page Views

  • Posts: 11860
  • Registered: ‎01-02-2010
  • Location: United States of America
  • Views: 422554
  • Message 7 of 20

Re: Feature Request: ability to create strong harddisk-passwords

2012-08-01, 18:28 PM
They are not going to release info about password encryption methods, which would be used as guide for hacking.

Rich


I do not respond to requests for private, one-on-one help. Your questions should be posted in the appropriate forum where they may help others as well.

If a response answers your question, please mark it as the accepted solution.

I am not an employee or agent of Lenovo.
Reply
Options

9380 Posts

11-27-2007

Slovakia

15518 Signins

2040239 Page Views

  • Posts: 9380
  • Registered: ‎11-27-2007
  • Location: Slovakia
  • Views: 2040239
  • Message 8 of 20

Re: Feature Request: ability to create strong harddisk-passwords

2012-08-01, 18:53 PM

@ atomax,

 

sorry, but richk is right.  This sort of information would not be made available in the forums because of the risk of it being used for illicit reasons or gain.

 

If you work for a corporate customer of Lenovo by all means contact your company's Lenovo rep and request the information, but please do not broach this subject again in the forums.

 

Thanks for understanding

Andy  

______________________________________


Please remember to come back and mark the post that you feel solved your question as the solution, it earns the member + points

Did you find a post helpfull? You can thank the member by clicking on the star to the left awarding them Kudos

Please add your type, model number and OS to your signature, it helps to help you.

Forum Search Option T430 2347-G7U W8 x64, Yoga 10 HD+, Tablet 1838-2BG, T61p 6460-67G W7 x64, T43p 2668-G2G XP, T23 2647-9LG XP, plus a few more.

FYI Unsolicited Personal Messages will be ignored.

de.gif  Deutsche Community   es.gif  Comunidad en Español  uk.gif  English Community ru.gif Русскоязычное Сообщество

PepperonI blog 

Reply
Options

5 Posts

06-22-2012

Lao People's Democratic Republic

6 Signins

70 Page Views

  • Posts: 5
  • Registered: ‎06-22-2012
  • Location: Lao People's Democratic Republic
  • Views: 70
  • Message 9 of 20

Re: Feature Request: ability to create strong harddisk-passwords

2012-08-04, 0:51 AM

Lots of understandable FUD here. OP is right in wanting more options to create a password.

 

You don't need to dictionary attack the password. It's easier to retrieve the hash and work on that offline.

 

One way hash is only as good as the hash function in use.

 

If you use password abc and simply hash with something like md5 or sha256 then any lookup table will have a matching pre-computed hash value for that password. Every possible permutation for a 3 character password hash has been calculated already. You don't need to reverse the hash.. just find a pre-computed hash in a lookup table.

 

What we need to know in order to trust Lenovos hash function is whether they pad the password with a long and unpredictable salt.. and then hash that combination many times. The salt is random data that should make the hash so long it can't be easily pre-computed. Note the easily bit there..

 

Obscurity is not security. Knowing how passwords are hashed is important if you're serious about trusting any hashing mechanism. Generally you should only trust Encryption if well known open standards are used.

Reply
Options

11860 Posts

01-02-2010

United States of America

40160 Signins

422554 Page Views

  • Posts: 11860
  • Registered: ‎01-02-2010
  • Location: United States of America
  • Views: 422554
  • Message 10 of 20

Re: Feature Request: ability to create strong harddisk-passwords

2012-08-04, 14:06 PM

It is not some stupid table search.  You cannot retrieve the hash without disassembling the drive and examining the platters with tools that a normal hacker will not have. It is stored on the platters in an area that cannot be read with external comands. It is never read into memory.  The unlock command sends the challange password hash to the drive and the drive is either unlocked or it isn't.  I also believe it is not stored in a contiguous area.  If you disassemble the drive and use your electron microscope to retrieve the hash, "all you will need to do" is reverse engineer the drive's firmware to see how the hash calculated in the BIOS is mapped in the hash stored in the platters.  If you are afraid of some thief doing that, either you are carrying state secrets and need an entirely different sort of solution, or you need to get back on your paranoia medication.


Rich


I do not respond to requests for private, one-on-one help. Your questions should be posted in the appropriate forum where they may help others as well.

If a response answers your question, please mark it as the accepted solution.

I am not an employee or agent of Lenovo.
Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms