HP ProtectTools password guidelines - White Paper
5
HP BIOS implements a second level password filter to ensure that the user is not locked out of the
computer. Preboot Security and Drive Encryption contain the keyboard mappings for all the supported
keyboards. When a user sets up or changes a password while the Preboot Security or Drive Encryption
levels are enabled, Preboot Security and Drive Encryption receive the Unicode password hash from the
OS. Password filtering logic verifies that the keyboard layout associated with the user is able to type the
password. Otherwise, the password filter will reject the password.
Changing the keyboard in Windows without verification by the password filter or choosing a password
while unaware that an unintended keyboard layout is selected may prevent you from physically typing
your password. After three unsuccessful login attempts, Preboot Security login will automatically display
an on-screen keyboard with all possible characters from the associated keyboard layout and allow you
to “click” each character in the password.
Note
The on-screen keyboard in the Preboot Security login displays many
characters, some of which look very similar to characters on other
keyboards. To enter the correct characters, you should look at all
available characters before attempting to enter the password.
How Preboot Security handles dead keys
A dead key is a keyboard key that modifies the next key that is typed. For example, in Windows, some
keyboards allow you to type combinations like the following: pressing the dead key ‘ and then “e”
produces “é.” In other cases, applications themselves allow for dead keys. Many Windows
applications allow you to press the dead key Ctrl - ‘ and then “e” to produce “é”, independent of the
keyboard layout being used. At the Preboot Security login, the use of dead keys has been added to
provide you with as much keyboard functionality as possible. If a character can be produced in
Windows and cannot be typed at the Preboot Security login, the password will be rejected. If the dead
key is not rejected when changing the password of a ProtectTools user within Windows, the user can
also use the dead key when logging in at the Preboot Security login screen. Typically, Preboot Security
supports dead keys that are supported by a keyboard and does not support dead keys that are
supported by particular applications. Thus, the Spanish keyboard layout in Preboot allows for the ‘ and
then “e” combination to produce “é”; it does not support the Ctrl - ‘ and then “e” combination to
produce “é.”
Preboot Security ensures that the Windows password chosen can always be typed at the Preboot
Security and Drive Encryption login screens, as neither of these two operating environments supports all
the advanced typing features available in Windows. Therefore, all characters that require special
typing methods that are not common to all keyboards, such as the use of the Kana key (Japanese) or
the Input Method Editor (IME) function of Windows, will result in password rejection by the password
filtering logic.