Helping people with computers... one answer at a time.

The lock function in Windows is convenient and fast, but it's not quite as secure as you might think. We'll look at why.

My college says to lock your computer - will that make it safe? For example in Windows, pressing the Windows Key + L locks the computer. It seems to me if you do lock it there are still a few folks know how to unlock it and help themselves. So should I feel safe locking the computer?

Not really.

Of course it depends on the situation, but locking your computer is a very mild form of security. It'll help keep honest people honest, but the rest? Not so much.

I'll show you why and how and what you really need to be doing instead.

I liken locking your computer to putting a cheap padlock on a box or door. Most people don't care and won't take the trouble to try and defeat it. In that sense it's pretty cheap and reasonable security.

Unless, of course, someone really wants to get in.

"Sadly it's all too easy to walk up to a computer and access everything there is on it."

All they need to do is walk up with a bolt cutter of sufficient size and cut the padlock off. It's very easy and quick - if you have the right tools.

The right tools to break into a locked laptop are not only easy, they're free.

You might think that guessing your password would be the way to go, since locking the machine requires that you enter your password to regain access. That's one approach, particularly if you have an easy to guess password. (It's kinda like picking that padlock above - if it's a really cheap padlock, or you're really good at picking, perhaps it'll work.)

I'd skip that step completely and bring out the equivalent of the bolt cutters right away. Here's what I'd do:

Yes, it really is that easy, and is exactly why I so often repeat:

If it's not physically secure, it's not secure.

I'm sure that there are other approaches as well, it's just one example of a virtual bolt cutter I happen to know works well.

So, what to do?

Locking your computer is not a bad idea. As I said, it'll keep honest people honest, and also keep out those who are less technically competent (i.e. those that don't know how easy it is to get in).

And it's possible that in doing so, along with traditional security like not leaving your computer unattended in public places, that it might be enough. Knowing how easy it is for someone to get it, though, that's a judgment call you'll have to make based on the importance and privacy of what's on your computer and the real likelihood that anyone would actually care enough to try and break in.

If you feel you need more security than that, then:

  • Never, ever let anyone use or borrow your computer.

  • Never, ever leave your computer somewhere where it can be accessed by someone else - running or not, locked or not.

  • Strongly consider using encryption to keep your data secure, and only decrypting as needed or making sure to turn on auto-dismount options in tools like TrueCrypt.

  • Always use a strong password.

Sadly it's all too easy to walk up to a computer and access everything there is on it. Particularly for laptops, which can of course be easily lost or stolen, there's a real concern about data loss and data privacy.

Its important you understand the risks, and take steps appropriate to your situation to protect yourself.

Article C4013 - January 1, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

14 Comments
Ken B
January 4, 2010 11:54 AM

Many computers have the ability to set a boot password, which will prevent (most) people from even getting to the point where they could boot from CD. Though, as you said, "If it's not physically secure, it's not secure", since the computers all have some method of clearing that password. (Typically, this involves opening the computer and shorting two pins.) It's the slightly-less-cheap padlock on the outside door that they need to get through before they can remove the other cheap padlock. :-)

Of course, if someone was that determined to get in, they'd probably just walk off with the entire computer. Not very subtle, but they'll still have access to all the data on the computer.

Me
January 5, 2010 11:15 AM

I remember reading somewhere that once somebody has physical access to the computer (or at least the HDD), no encryption is good enough.

Tom R
January 5, 2010 12:10 PM

"I remember reading somewhere that once somebody has physical access to the computer (or at least the HDD), no encryption is good enough."

Absolutely and completely untrue. The 256-bit AES encryption algorithm as a practicle matter is unbreakable for the foreseeable future. AES is so mathematically complex that today's fastest supercomputers would have to work on the problem for many, many decades before they would be able to break it.

Physical access or not, AES (which TrueCrypt uses) will keep valuable personal information safe, as long as a strong password is used.

I agree, and want to emphasize the importance of the password - or rather pase phrase. All the encryption in the world won't save you from having chosen an easy to guess or compromized passphrase.
Leo
06-Jan-2010

loaded
January 5, 2010 2:22 PM

quoted: I remember reading somewhere that once somebody has physical access to the computer (or at least the HDD), no encryption is good enough.
Posted by: Me at January 5, 2010 11:15 AM //

Maybe you read it in the article you commented on ... the large bold print that says "If it's not physically secure, it's not secure".

That same article that you're also commenting on goes on to recommend encryption as a solution.
Leo
06-Jan-2010

Alan Smith
January 5, 2010 3:05 PM

Hello Leo, Find your site both informative & enjoyable.
Re Safe Lock Up of Your Computer.
Assuming my LT computer is stolen & unlocked by the thief.
If I store sensitive info within Gmail [like in 'Gmail contact notes] & create a solid pw for my Gmail sign on. How secure would this be?
My laymans logic tells me that Google could not be hacked easily & even if a hacker did this, crunching a Google sign on pw would also be difficult for an external hacker?
I have coupled the above set up with a Nortons Identity pw on my computer which i assume will make it doubly difficult for a thief ever gets his hands on my LT & unlocks it.
He would have to crack both the Nortons + my Gmail Sign On pw's to get amongst my sensitive stuff. Good Idea, or am I missing something?
I just back my Ho Hum files up on multi Flash Drives.
Alan

The risk is not hacking anything, but rather gaining access to your GMail password. If you've ever allowed your browser to remember your password, then it can be trivially recovered buy theif who has access to your machine. This on a different site might scare you a little: Forgot Gmail Password? Use your browser to recover it!
Leo
06-Jan-2010

Craig
January 5, 2010 3:29 PM

I just got a brand new laptop, and at first used the fancy drive encryption that I thought would keep prying eyes off my data. The only problem is it was so INTRUSIVE, and became a pain in the toucas, that I finally turned it off; so much for good tools but not wanting (or liking) to use them.

ron
January 5, 2010 5:28 PM

How "solid" is your GMail password? Do you have it written down anywhere (digital or paper)? Do you have GMail password recovery turned on? Are the hints easy to guess? Are you using HTTP or HTTPS to access your GMail (if HTTP your Password and email can be intercepted when you are reading it)?

The only way you can be sure that your files are unreadable at GMail is if they are encrypted. Which gets you back to encrypting your HD. Make sure to encrypt the whole HD, not just files, folders or partitions.

Pookey
January 5, 2010 9:36 PM

@Tom R

Absolutely WRONG. The world's best super computers can crack AES in a couple of days. You and I don't need to worry about that because they are mostly used by scientists for research or government agencies to process certain data. However, for the average Joe Bloggs on the street with a Quad-Core 2.6 Ghz it will indeed take not only years, but decades to crack the encryption. Also, AES is strongest when the longest possible password is used, which would mean a 256 character password. Most people's password's are probably less than 64 characters and therefore, there is a reduction in the strength offered by the encryption.

Pedro
January 6, 2010 9:45 AM

I think that is a little overkill. If someone did that the user would notice that the PC had been hacked because it would no longer be logged in to his account when he arrives to his PC...

I think that for a normal working situation, like an office or college locking your PC with a good password is safe enough. I believe there is no way to get into someones account (without knowing his pwd or an admin pwd) and leave it un-noticeable...

Whether it's noticeable isn't the issue. Keeping your data safe most certainly is. You'll notice your wallet has been stolen eventually, but even so ... your wallet has been stolen, and all the information in it. Best to not have it stolen in the first place.
Leo
07-Jan-2010

Dave Markley
January 18, 2010 2:45 PM

Just wanted to add a little note concerning Gmail. As of January, 2010 Gmail is sent via HTTPS: (encrypted) as opposed to HTTP: that was previously used.

Glenn P.
January 23, 2010 7:44 PM

Additional information for Tom R. (and others!):

1. TrueCrypt doesn't "just" use AES. It can be configured (if desired) to use THREE ciphers in series -- AES, Twofish, and Serpent -- either in that order, or in the reverse order. Other combinations of these are also possible.

2. Leo is correct about using a passphrase, rather than a password. Ideally, your passphrase should have these eight (8) characteristics:

1. Uppercase letters.
2. Lowercase letters.
3. Numbers.
4. Punctuation (e.g., ",:;-?! and so forth).
5. Symbols (e.g., @#$&*+ and so forth).
6. Spaces (use your spacebar!).
7. Respelling (no word anywhere in your passphrase should be findable in any dictionary -- say "kwean", not "queen"!).
8. A long length (15 characters or longer, and the longer the better).

Hope this helps!

Eicar Test Code
January 25, 2010 2:26 AM

re:
"I think that for a normal working situation, like an office or college locking your PC with a good password is safe enough. I believe there is no way to get into someones account (without knowing his pwd or an admin pwd) and leave it un-noticeable..."
_ _ _ _ _ _ _ _ _

I had a laugh with one of the admin. assistants at one of the bosses where I work,

it seems that all the PC's on the domain are accessible by me from my work station as long as they are turned on and connected to the network,

if I browse "my network places"
find the machine I want to look at

then use the administrative share for the root of the system drive of said machine,

I can look at any & everything on the machine, including their "Documents" folder, "Desktop", "Temporary Internet Files" etc.

I dropped a text file onto one of the bosses Desktop:
HiBoss.txt

It seems that internal network security is as necessary as physical security of the machine

I don't believe anyone here has set their "my documents" folder to Private as they've all been redirected to the server for the nightly backups
as well as that's the primary share point for sharing files
so I haven't had the opportunity to attempt to access a "Private" "My Documents" using this method of "administrative access".

Adam
November 22, 2011 7:12 AM

password protect the bios

disable booting from anything but the volume you should be booting from

Still not as good as physically securing the machine, but better...

chas
December 6, 2011 10:53 AM

get a fingerprint reader and use this to access your computer. it works in conjunction with a password, so make sure you have a very strong password - there are programs available which can randomly generate a password for you.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.