Many computers have the ability to set a boot password, which will prevent (most) people from even getting to the point where they could boot from CD. Though, as you said, "If it's not physically secure, it's not secure", since the computers all have some method of clearing that password. (Typically, this involves opening the computer and shorting two pins.) It's the slightly-less-cheap padlock on the outside door that they need to get through before they can remove the other cheap padlock. :-)
Of course, if someone was that determined to get in, they'd probably just walk off with the entire computer. Not very subtle, but they'll still have access to all the data on the computer.
Posted by: Ken B at January 4, 2010 11:54 AM
I remember reading somewhere that once somebody has physical access to the computer (or at least the HDD), no encryption is good enough.
Posted by: Me at January 5, 2010 11:15 AM
"I remember reading somewhere that once somebody has physical access to the computer (or at least the HDD), no encryption is good enough."
Absolutely and completely untrue. The 256-bit AES encryption algorithm as a practicle matter is unbreakable for the foreseeable future. AES is so mathematically complex that today's fastest supercomputers would have to work on the problem for many, many decades before they would be able to break it.
Physical access or not, AES (which TrueCrypt uses) will keep valuable personal information safe, as long as a strong password is used.
I agree, and want to emphasize the importance of the password - or rather pase phrase. All the encryption in the world won't save you from having chosen an easy to guess or compromized passphrase.
06-Jan-2010
Posted by: Tom R at January 5, 2010 12:10 PM
quoted: I remember reading somewhere that once somebody has physical access to the computer (or at least the HDD), no encryption is good enough.
Posted by: Me at January 5, 2010 11:15 AM //
Maybe you read it in the article you commented on ... the large bold print that says "If it's not physically secure, it's not secure".
That same article that you're also commenting on goes on to recommend encryption as a solution.
06-Jan-2010
Posted by: loaded at January 5, 2010 2:22 PM
Hello Leo, Find your site both informative & enjoyable.
Re Safe Lock Up of Your Computer.
Assuming my LT computer is stolen & unlocked by the thief.
If I store sensitive info within Gmail [like in 'Gmail contact notes] & create a solid pw for my Gmail sign on. How secure would this be?
My laymans logic tells me that Google could not be hacked easily & even if a hacker did this, crunching a Google sign on pw would also be difficult for an external hacker?
I have coupled the above set up with a Nortons Identity pw on my computer which i assume will make it doubly difficult for a thief ever gets his hands on my LT & unlocks it.
He would have to crack both the Nortons + my Gmail Sign On pw's to get amongst my sensitive stuff. Good Idea, or am I missing something?
I just back my Ho Hum files up on multi Flash Drives.
Alan
The risk is not hacking anything, but rather gaining access to your GMail password. If you've ever allowed your browser to remember your password, then it can be trivially recovered buy theif who has access to your machine. This on a different site might scare you a little: Forgot Gmail Password? Use your browser to recover it!
06-Jan-2010
Posted by: Alan Smith at January 5, 2010 3:05 PM
I just got a brand new laptop, and at first used the fancy drive encryption that I thought would keep prying eyes off my data. The only problem is it was so INTRUSIVE, and became a pain in the toucas, that I finally turned it off; so much for good tools but not wanting (or liking) to use them.
Posted by: Craig at January 5, 2010 3:29 PM
How "solid" is your GMail password? Do you have it written down anywhere (digital or paper)? Do you have GMail password recovery turned on? Are the hints easy to guess? Are you using HTTP or HTTPS to access your GMail (if HTTP your Password and email can be intercepted when you are reading it)?
The only way you can be sure that your files are unreadable at GMail is if they are encrypted. Which gets you back to encrypting your HD. Make sure to encrypt the whole HD, not just files, folders or partitions.
Posted by: ron at January 5, 2010 5:28 PM
@Tom R
Absolutely WRONG. The world's best super computers can crack AES in a couple of days. You and I don't need to worry about that because they are mostly used by scientists for research or government agencies to process certain data. However, for the average Joe Bloggs on the street with a Quad-Core 2.6 Ghz it will indeed take not only years, but decades to crack the encryption. Also, AES is strongest when the longest possible password is used, which would mean a 256 character password. Most people's password's are probably less than 64 characters and therefore, there is a reduction in the strength offered by the encryption.
Posted by: Pookey at January 5, 2010 9:36 PM
I think that is a little overkill. If someone did that the user would notice that the PC had been hacked because it would no longer be logged in to his account when he arrives to his PC...
I think that for a normal working situation, like an office or college locking your PC with a good password is safe enough. I believe there is no way to get into someones account (without knowing his pwd or an admin pwd) and leave it un-noticeable...
Whether it's noticeable isn't the issue. Keeping your data safe most certainly is. You'll notice your wallet has been stolen eventually, but even so ... your wallet has been stolen, and all the information in it. Best to not have it stolen in the first place.
07-Jan-2010
Posted by: Pedro at January 6, 2010 9:45 AM
Just wanted to add a little note concerning Gmail. As of January, 2010 Gmail is sent via HTTPS: (encrypted) as opposed to HTTP: that was previously used.
Posted by: Dave Markley at January 18, 2010 2:45 PM
Comments
Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.
Many computers have the ability to set a boot password, which will prevent (most) people from even getting to the point where they could boot from CD. Though, as you said, "If it's not physically secure, it's not secure", since the computers all have some method of clearing that password. (Typically, this involves opening the computer and shorting two pins.) It's the slightly-less-cheap padlock on the outside door that they need to get through before they can remove the other cheap padlock. :-)
Of course, if someone was that determined to get in, they'd probably just walk off with the entire computer. Not very subtle, but they'll still have access to all the data on the computer.
Posted by: Ken B at January 4, 2010 11:54 AMI remember reading somewhere that once somebody has physical access to the computer (or at least the HDD), no encryption is good enough.
Posted by: Me at January 5, 2010 11:15 AM"I remember reading somewhere that once somebody has physical access to the computer (or at least the HDD), no encryption is good enough."
Absolutely and completely untrue. The 256-bit AES encryption algorithm as a practicle matter is unbreakable for the foreseeable future. AES is so mathematically complex that today's fastest supercomputers would have to work on the problem for many, many decades before they would be able to break it.
Physical access or not, AES (which TrueCrypt uses) will keep valuable personal information safe, as long as a strong password is used.
06-Jan-2010
Posted by: Tom R at January 5, 2010 12:10 PM
quoted: I remember reading somewhere that once somebody has physical access to the computer (or at least the HDD), no encryption is good enough.
Posted by: Me at January 5, 2010 11:15 AM //
Maybe you read it in the article you commented on ... the large bold print that says "If it's not physically secure, it's not secure".
06-Jan-2010
Posted by: loaded at January 5, 2010 2:22 PM
Hello Leo, Find your site both informative & enjoyable.
Re Safe Lock Up of Your Computer.
Assuming my LT computer is stolen & unlocked by the thief.
If I store sensitive info within Gmail [like in 'Gmail contact notes] & create a solid pw for my Gmail sign on. How secure would this be?
My laymans logic tells me that Google could not be hacked easily & even if a hacker did this, crunching a Google sign on pw would also be difficult for an external hacker?
I have coupled the above set up with a Nortons Identity pw on my computer which i assume will make it doubly difficult for a thief ever gets his hands on my LT & unlocks it.
He would have to crack both the Nortons + my Gmail Sign On pw's to get amongst my sensitive stuff. Good Idea, or am I missing something?
I just back my Ho Hum files up on multi Flash Drives.
Alan
06-Jan-2010
Posted by: Alan Smith at January 5, 2010 3:05 PM
I just got a brand new laptop, and at first used the fancy drive encryption that I thought would keep prying eyes off my data. The only problem is it was so INTRUSIVE, and became a pain in the toucas, that I finally turned it off; so much for good tools but not wanting (or liking) to use them.
Posted by: Craig at January 5, 2010 3:29 PMHow "solid" is your GMail password? Do you have it written down anywhere (digital or paper)? Do you have GMail password recovery turned on? Are the hints easy to guess? Are you using HTTP or HTTPS to access your GMail (if HTTP your Password and email can be intercepted when you are reading it)?
The only way you can be sure that your files are unreadable at GMail is if they are encrypted. Which gets you back to encrypting your HD. Make sure to encrypt the whole HD, not just files, folders or partitions.
Posted by: ron at January 5, 2010 5:28 PM@Tom R
Absolutely WRONG. The world's best super computers can crack AES in a couple of days. You and I don't need to worry about that because they are mostly used by scientists for research or government agencies to process certain data. However, for the average Joe Bloggs on the street with a Quad-Core 2.6 Ghz it will indeed take not only years, but decades to crack the encryption. Also, AES is strongest when the longest possible password is used, which would mean a 256 character password. Most people's password's are probably less than 64 characters and therefore, there is a reduction in the strength offered by the encryption.
Posted by: Pookey at January 5, 2010 9:36 PMI think that is a little overkill. If someone did that the user would notice that the PC had been hacked because it would no longer be logged in to his account when he arrives to his PC...
I think that for a normal working situation, like an office or college locking your PC with a good password is safe enough. I believe there is no way to get into someones account (without knowing his pwd or an admin pwd) and leave it un-noticeable...
07-Jan-2010
Posted by: Pedro at January 6, 2010 9:45 AM
Just wanted to add a little note concerning Gmail. As of January, 2010 Gmail is sent via HTTPS: (encrypted) as opposed to HTTP: that was previously used.
Posted by: Dave Markley at January 18, 2010 2:45 PMTo post a comment on "Does locking my computer keep it safe?", please return to that article's main page.