As you might have read from the previous guides published on The Instructional, the Mac can be booted from either its built-in OS X Recovery volume an external storage device to aid in the troubleshooting and resolution of any software issues that might have occurred. Unfortunately, these methods could be used maliciously and result in your Mac being either erased or, perhaps worse, information stored within to be taken.
As a way to prevent this sort of access from occurring, the Mac has a built-in function that, when enabled, requires a password to be entered before it can be booted from either OS X Recovery or external drive.
How Firmware Password Works
Unlike your OS X login password, Firmware Password is stored within the Mac's EFI (Extensible Firmware Interface). This allows it to operate independently of whatever installation of OS X may reside on the Mac and even it is wiped, the Firmware Password will remain.
Once enabled, should you (or anyone else) need to boot the Mac from either OS X Recovery or an external hard drive, the firmware password will be required. Without it, the Mac will only boot from its default startup disk.
Enabling Firmware Password
Enabling and disabling Firmware Password can only be done using OS X Recovery. To start, boot your Mac into OS X Recovery by holding Command+R during startup.
Once OS X Recovery has booted, select Utilities > Firmware Password Utility. A dialog box will appear letting you know if password protection is enabled or disabled.
To continue, click Turn On Firmware Password and then set a new password, confirming it before clicking Set Password.
Requiring Password Input
After quitting Firmware Password Utility, restart your Mac and hold down Alt. Instead of seeing the expected boot menu, you'll be prompted to enter a password in order to continue.
No matter the current state of the Mac's internal OS X volume, Firmware Password will always work.
Disabling or Changing Firmware Password
To turn off or change the password, you can repeat the same process required when enabling it.
After booting into OS X Recovery, which will require the password to be entered, go back into the Firmware Password Utility and select either Change Password... or Turn Off Firmware Password...
Both of these will require the existing password to be entered before it can be changed or disabled.
Forgetting the Firmware Password
In the Mac's PowerPC and early Intel days, the firmware password could be deactivated by altering the hardware configuration, usually through adding or removing a RAM stick.
That's no longer the case, especially as the portable Mac range cannot be RAM upgraded.
If you do happen to forget or misplace the password, your only option is to either make a Genius Bar appointment at an Apple Store or visit an Apple Authorised Repair Centre (AASP). You can find your nearest Apple Store or AASP by visiting Apple's Where to Buy page.
Wrapping Up
Firmware Password provides an additional level of security when it comes to locking down your Mac, though the need for it has been greatly diminished since the introduction of FileVault 2, a security feature that serves a much better purpose by performing whole-disk encryption.
I'm by no means suggesting Firmware Password no longer has any use, far from it. For corporate or education environments, preventing users from booting OS X Recovery or their own external drive is extremely useful, but Firmware Password should not be considered an effective means of protecting your data.
While Firmware Password can prevent the Mac booting from OS X Recovery or external storage device, FileVault 2 actively protects your data. Firmware Password is useless if your Mac's hard drive is removed, FileVault 2 is not.