Helping people with computers... one answer at a time.
Your Windows login password gets you surprisingly little real security. I'll look at why that is, why you might still want one, and what I do instead.
I use Windows 7 on two desktops and a laptop. Up until now, I have never bothered using a password when logging on. But recently, I was cautioned to use a Windows Logon password when I bought the laptop. The shop where I purchased it said this was for security, in case someone took it. They also said the use of a password on my home PCs would prevent malware from being automatically installed should I inadvertently download something. Is this true? I ask because a year ago, I tried to close a pop under ad using the red X button and unknowingly installed malware. I now use Task Manager for such operations, but the bad guys keep changing what they do, so that solution may someday no longer work.
I'll put it this way: the security provided by a Windows login password is highly overrated.
It doesn't protect you from many of the things that you've mentioned, and it's pretty darned easy to circumvent.
Yes, I use a password on my Windows 7 machines, but not for security reasons. I use one because it's required to make something I use frequently to work.
You should probably have one too, but just be aware of what it gets you, and especially what it doesn't.
I'll start with the gaping hole: if someone takes your laptop, they don't need your password. Seriously. They can easily and surprisingly quickly set a new administrator password and then login or do whatever they please. I've written about the technique for this before: I've lost the password to my Windows Administrator account, how do I get it back?
The lesson to be learned there is simple: having a password on your Windows login gets you exactly zero security should your computer be stolen.
Or put the way I usually put it: if your computer's not physically secure, it's not secure.
With that huge misconception out of the way, let's look at what a Windows login password does get you.
I look at it as a cheap padlock. It keeps honest people honest, perhaps prevents a few mistakes, but is not much of a deterrent to someone who's really interested in breaking through.
I honestly don't see how it slows down malware infections at all, since infections normally happen when you're already logged in, using a password or not. About the only scenario that might be slightly impacted would be some malware that tries to gain administrative privileges - if there's no administrator password, perhaps it could. But that scenario seems rare.
Login passwords are useful, and perhaps even required, for some things:
preventing unauthorized access to your files or file shares by other computers on your local area network
allowing access to your files or file shares by you, when using other computers on your local area network
remote desktop access requires that you have a login password on the account you're using to access a machine remotely
That last reason is exactly why all my machines have passwords on my login account. And the second reason is why all those account names and passwords are identical across all my machines: it enables more transparent access of files across my local area network.
I do not password my Windows login for any serious security.
My security measures are more comprehensive, and to put it somewhat redundantly, more secure. Naturally, I use a firewall, have anti-malware software running, keep my software up to date, use common sense when surfing the net, and I make sure to encrypt sensitive data with tools like TrueCrypt.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.