Helping people with computers... one answer at a time.

Your Windows login password gets you surprisingly little real security. I'll look at why that is, why you might still want one, and what I do instead.

I use Windows 7 on two desktops and a laptop. Up until now, I have never bothered using a password when logging on. But recently, I was cautioned to use a Windows Logon password when I bought the laptop. The shop where I purchased it said this was for security, in case someone took it. They also said the use of a password on my home PCs would prevent malware from being automatically installed should I inadvertently download something. Is this true? I ask because a year ago, I tried to close a pop under ad using the red X button and unknowingly installed malware. I now use Task Manager for such operations, but the bad guys keep changing what they do, so that solution may someday no longer work.

I'll put it this way: the security provided by a Windows login password is highly overrated.

It doesn't protect you from many of the things that you've mentioned, and it's pretty darned easy to circumvent.

Yes, I use a password on my Windows 7 machines, but not for security reasons. I use one because it's required to make something I use frequently to work.

You should probably have one too, but just be aware of what it gets you, and especially what it doesn't.

I'll start with the gaping hole: if someone takes your laptop, they don't need your password. Seriously. They can easily and surprisingly quickly set a new administrator password and then login or do whatever they please. I've written about the technique for this before: I've lost the password to my Windows Administrator account, how do I get it back?

"... having a password on your Windows login gets you exactly zero security should your computer be stolen."

The lesson to be learned there is simple: having a password on your Windows login gets you exactly zero security should your computer be stolen.

Or put the way I usually put it: if your computer's not physically secure, it's not secure.

With that huge misconception out of the way, let's look at what a Windows login password does get you.

Not much.

I look at it as a cheap padlock. It keeps honest people honest, perhaps prevents a few mistakes, but is not much of a deterrent to someone who's really interested in breaking through.

I honestly don't see how it slows down malware infections at all, since infections normally happen when you're already logged in, using a password or not. About the only scenario that might be slightly impacted would be some malware that tries to gain administrative privileges - if there's no administrator password, perhaps it could. But that scenario seems rare.

Login passwords are useful, and perhaps even required, for some things:

  • preventing unauthorized access to your files or file shares by other computers on your local area network

  • allowing access to your files or file shares by you, when using other computers on your local area network

  • remote desktop access requires that you have a login password on the account you're using to access a machine remotely

That last reason is exactly why all my machines have passwords on my login account. And the second reason is why all those account names and passwords are identical across all my machines: it enables more transparent access of files across my local area network.

I do not password my Windows login for any serious security.

My security measures are more comprehensive, and to put it somewhat redundantly, more secure. Naturally, I use a firewall, have anti-malware software running, keep my software up to date, use common sense when surfing the net, and I make sure to encrypt sensitive data with tools like TrueCrypt.

Article C4231 - March 25, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

4 Comments
Michael Delheimer
March 30, 2010 8:49 AM

I recently found how easy it was to reset the password on Windows7. My father purchased a new 7 computer and before he could write down his password, he forgot it. I Googled it and found a place that would sell me the software to unlock 3 machines for 19 dollars. I paid the 19, burned the download to a disk and in 3 minutes had reset his password. I left the disk with him in case it happens again. I did not realize that it was that easy. Now we know.

It needn't cost any money either. As mentioned in the article you just commented on, this article of mine describes how to do it for free: I've lost the password to my Windows Administrator account, how do I get it back?
Leo
31-Mar-2010

John
March 31, 2010 5:08 PM

The only time it's useful is when you're part of a network of other computers and that there are other people.

You should have atleast a basic password on an account. This will atleast stop anyone from entering your computer via the network or from physically login to your computer. Also unlike Leo most people don't have a clue as to what a firewall is.

If you have children in the house and are concerned that they would destabilize your computer then have a password.

People of technical know-how already know that having a passwordless system would jeopardize the system if your firewall or network security goes down.
But as Leo says when the computer is stolen there is nothing that would protect it.

Duane Ferguson
April 2, 2010 7:07 AM

Windows passwords are not worth the Post-it notes you write them on. There are a number of readily available, perfectly legitimate tools that will find and remove passwords. I often use alternative Operating Systems like Linux Puppy or Ultimate Boot CD to retrieve gigabytes of data from Windows machines that have become infected or corrupted in some other way. Boot from either of these two options, and the security provided by your Windows password simply ceases to exist. Your Windows password protects you from honest people, but that's about it.

Ian Richardson
February 9, 2012 1:34 AM

Thanks Leo, that's v useful and informative. I just rely on the W7 password to stop other people in the house using my machine. If it gets stolen I aren't that bothered. My data is backed up and at another location, so even if the place burns down I've still got my i-Tunes !!!!

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.