Feeds

Forgot your ThinkPad password? Get new hardware

Lenovo merciless on memory loss

SANS - Survey on application security programs

Users of Lenovo ThinkPad laptops may be in for a nasty surprise if they forget their main (supervisor) hard drive password.

The Chinese hardware manufacturer refuses to reset hard drive (BIOS) security passwords for laptops even if they are covered by warranty. Lenovo, which bought IBM's ThinkPad laptop business in 2005, cites security concerns for this established but little-publicised policy.

While official Lenovo channels offer only the expensive fix of replacing a machine's motherboard, costing perhaps $400 plus or around the price of some new machines (like the X100e here), a variety of password recovery tools will do the job for around $80. Sure enough Google search "reset Thinkpad password" turns up various tools, which we haven't tested and therefore can't endorse, that claim to do the job.

The more credible offers provide step by step guides as well as links to software downloads, while the more suspect offers include ads on Craigslist.

Reg reader Shaun P, who put us on to the issue, explains: "When a Lenovo customer forgets their password the firm tells customers to replace the motherboard at their expense. That's because the password lock-out problem is something that isn't covered under Lenovo ThinkPad warranties."

Sure enough, page 19 on Lenovo's ThinkPad warranty explains that while the "power-on" password can be reset by service agents the same doesn't apply to supervisor passwords.

If you forgot your supervisor password, Lenovo authorized servicer cannot reset your password. You must take your computer to a Lenovo authorized servicer or a marketing representative to have the system board replaced. Proof of purchase is required, and a fee will be charged for parts and service.

Lenovo explained the rationale for this policy in a brief statement.

Lenovo does not reset passwords for customers regardless of warranty status. To do so, represents a potential security exposure.

Lenovo entitles warranties based on the system model and serial number combination and not based on a particular registered customer - in which case Lenovo would have no way to authenticate a customer seeking help with a story of a lost or forgotten password. If Lenovo were to reset administrator or HDD passwords by either policy or available procedure, then we would be creating an exposure and undermining the value of the passwords to deter theft and prevent unintended access to data.

Users are always forgetting passwords, which is why corporate help-desks are busy and the reason why corporate encryption systems come with password recovery tools. A quick search through user forums reveals numerous complaints, and a fair bit of confusion, on web forums over password recovery on ThinkPads.

A few examples can be found on Techspot (here), Tom's hardware (here) and Fixya (item two here). Users on an Indian forum had similar problems.

More woe can be found on a ThinkPad site here. And here, and again here (on a security forum) and finally, in our list at least, here.

Green computing has become a more important issue over recent years. Lenovo said that motherboards taken out of machines that get replaced as a result of its approved fix for password forgetfulness get recycled.

Any parts returned would be processed and environmentally recycled. For more information on our business disposal and recycling services, please visit: http://www.lenovo.com/services_warranty/US/en/asset_recovery.html For more information on our consumer recycling programs, please visit: http://www.lenovo.com/social_responsibility/us/en/product_recycling_program.html

Our tipster remains less than impressed with Lenovo's policy. "Ultimately I would like Lenovo/IBM to take some responsibility here and just provide a sensible solution," Shaun P told El Reg.

"I don't expect the solution to be free, although a web-based password reset service done properly would be great, but I don't expect it to cost more than the machine is worth."

Shaun also took issue with Lenovo's implied assumption that the customer must always be in the wrong over lost passwords. "Lenovo's unwritten policy if you 'forget' your password is, buy a new laptop," Shaun, who has experience the problem at first hand, explained. "Mr Criminal on the other hand can break the security in under 30 minutes. Kind of ironic that Lenovo can offer no real support to legitimate customers, but the bloke at the car boot sale can."

Have Reg readers experienced anything similar password reset problems with other manufacturers? We'd like to know. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
WTF happened to Pac-Man?
In his thirties and still afraid of ghosts
Reg man builds smart home rig, gains SUPREME CONTROL of DOMAIN – Pics
LightwaveRF and Arduino: Bright ideas for dim DIYers
Leaked pics show EMBIGGENED iPhone 6 screen
Fat-fingered fanbois rejoice over Chinternet snaps
Apple patent LOCKS drivers out of their OWN PHONES
I'm sorry Dave, I'm afraid I can't let you text that
Microsoft signs Motorola to Android patent pact – no, not THAT Motorola
The part that Google never got will play ball with Redmond
Slip your finger in this ring and unlock your backdoor, phone, etc
Take a look at this new NFC jewellery – why, what were you thinking of?
Happy 25th birthday, Game Boy!
Monochrome handset ushered in modern mobile gaming era
Rounded corners? Pah! Amazon's '3D phone has eye-tracking tech'
Now THAT'S what we call a proper new feature
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.