The result of setting an firmware password is that a Mac can not be booted from an external boot volume, single user mode, or target disk mode, and it also prevents resetting of PRAM and the ability to boot into safe mode, without logging in through the firmware password first. This effectively prevents a wide variety of methods that could potentially be used to compromise a Mac, and offers exceptional security for users who require such protection.

Like any other essential password, use something memorable but complex, and do not forget a firmware password after it has been set. A lost firmware password is unrecoverable on most modern Macs without a visit to an Apple Store for service and recovery.

Setting a firmware password is rather simple.

• Start up from macOS recovery mode by holding down Command (⌘)-R immediately after turning on your Mac. Release the keys when you see the Apple logo.

• When the utilities window appears, choose Utilities > Firmware Password Utility from the menu bar. On iMac Pro, choose Startup Security Utility instead.

• Click Turn On Firmware Password.

• Enter a firmware password in the fields provided, then click Set Password.

• Quit the utility, then choose Apple () menu > Restart.

The firmware password will not appear during a regular restart or boot of the Mac, it only becomes mandatory when the Mac is attempted to boot from alternate methods. This may be in situations where a Mac is attempted to boot from an macOS installer drive, an external boot volume, recovery mode, single user mode, verbose mode, target disk mode, resetting the PRAM, or any other alternative booting approach that will summon the rather plain looking firmware password window. There are no password hints or additional details provided, only a simple lock logo and a text entry screen. An incorrectly entered firmware password does nothing and offers no indication of login failure except that the Mac won't boot as anticipated.

To reset a login password in OS X Mountain Lion or later, restart the Mac and hold down Command-R to boot into the Recovery HD partition. From the Utilities menu, choose Terminal to open it. In Terminal type:

resetpassword

and press Return.

In macOS Sierra and macOS High Sierra, an Reset Password assistant will launch. Choose the user account or admin account you want to reset the password for. Enter a new password, confirm the new password, set (if you like) a password hint and then click on "Next" to set the new password for the account in question. Choose to "Restart" the Mac and when the Mac boots up, use the newly reset password to login to the computer.

In OS X Mountain Lion, OS X Mavericks, OS X Yosemite and OS X El Capitan, a Reset Password window will appear that will list all the bootable volumes attached to your Mac. Select the volume that contains the account you want to reset and choose the user name that needs its password reset. Enter and verify a new passwords in the appropriate fields and, if you like, enter a password hint. Click Save and the new password is applied to the account.

Moving to a new Mac? Learn how to move your files to your new Mac. Do this before you erase the hard drive or follow any other steps. 

• Create a backup. Be sure you have an up-to-date backup of your important files and data. Learn how to back up your data in OS X.

• Sign out of iTunes. Open iTunes. From the menu bar at the top of your computer screen or at the top of the iTunes window, choose Account > Authorizations > Deauthorize This Computer. When prompted, enter your Apple ID and password. Then click Deauthorize. Learn more about deauthorizing your computer using iTunes, including how to deauthorize all the computers you've used with your iTunes account.

• Sign out of iCloud. If you use Find My Mac or other iCloud features on your Mac, you should first archive or make copies of your iCloud data. After that, choose Apple Menu > System Preferences, click iCloud, and then deselect the Find My Mac checkbox. Finally, sign out of iCloud. In System Preferences, click iCloud, and then click the Sign Out button. When you sign out of iCloud, you're asked whether you want to remove iCloud data from your Mac. Your iCloud data will remain on any other devices that are using the same Apple ID.

• Sign out of iMessage. If you're using OS X Mountain Lion or later, sign out of iMessage. In the Messages app, choose Preferences > Accounts. Select your iMessage account, then click Sign Out.

• Erase and reinstall OS X. To reformat your hard drive and reinstall OS X, follow these instructions. After you reformat your hard drive and reinstall OS X, the computer restarts to a Welcome screen and asks you to choose a country or region. If you want to leave the Mac in an out-of-box state, don't continue with the setup of your system. Instead, press Command-Q to shut down the Mac. When the new owner turns on the Mac, the Setup Assistant will guide them through the setup process.

Having a password is highly recommended so if you haven't set one up already, you can protect your account by going into System Preferences -> Users & Groups and selecting your account. However, the issue with good security is that it all depends on you being able to set a secure password and, crucially, remembering it. What happens of you one day realize that you've forgot the password? Or more likely, what if your parents one day call you up saying they've forgot the password for their account?

There are several ways to do reset the password. The best case is if you still have access to another administrator's account. In this case you can reset the user's password by going to System Preferences -> Users & Groups. Select the account that you want to recover, click the Change Password button and type in a new password. Easy!

If you don't have access to an administrator's account, boot to the recovery partition by holding Command-R at startup (or by holding Option and selecting "Recovery HD" from the boot menu), and then selecting Terminal from the Utilities menu. When this is done and a Terminal window is open, simply type:

resetpassword

and press Return to launch the Reset Password utility. The program will launch, but do not close the Terminal window or the program will be killed as well. With the Password Reset utility now open, you can select the volume and the account, and change the password for that account.

Granted, for an operating system that is supposed to have great security, it is surprisingly simple to gain access to the computer. What if you have some top-secret files that nobody should be able to access? Is there a way to block the methods that we just described?

Of course there is! First, enable FileVault in System Preferences -> Security & Privacy. FileVault encrypts all your personal data so that even if someone manages to steal your computer they will not be able to access your data without the correct password.

You can also set a Firmware password that will be required to boot the computer and enter any of the recovery modes. This password can be set by booting to the recovery partition and selecting the Firmware Password Utility option from the Utilities menu.

After you've set the Firmware password the computer will disable all the methods we've mentioned in this article as well as several other recovery modes (reinstall, repair and so on) so do make sure that you remember the password! In a worst-case scenario you can reset the Firmware password it by opening your computer and removing one of the RAM sticks. When you boot the computer the password will be reset, after which you can replace the missing stick.