Summary: The lock function in Windows is convenient and fast, but it's not quite as secure as you might think. We'll look at why.
My college says to lock your computer - will that make it safe? For example in Windows, pressing the Windows Key + L locks the computer. It seems to me if you do lock it there are still a few folks know how to unlock it and help themselves. So should I feel safe locking the computer?
•
Not really.
Of course it depends on the situation, but locking your computer is a very mild form of security. It'll help keep honest people honest, but the rest? Not so much.
I'll show you why and how and what you really need to be doing instead.
•
I liken locking your computer to putting a cheap padlock on a box or door. Most people don't care and won't take the trouble to try and defeat it. In that sense it's pretty cheap and reasonable security.
Unless, of course, someone really wants to get in.
All they need to do is walk up with a bolt cutter of sufficient size and cut the padlock off. It's very easy and quick - if you have the right tools.
The right tools to break into a locked laptop are not only easy, they're free.
You might think that guessing your password would be the way to go, since locking the machine requires that you enter your password to regain access. That's one approach, particularly if you have an easy to guess password. (It's kinda like picking that padlock above - if it's a really cheap padlock, or you're really good at picking, perhaps it'll work.)
I'd skip that step completely and bring out the equivalent of the bolt cutters right away. Here's what I'd do:
-
I'd get a copy of the Offline NT Password and Registry Editor (I've discussed it more in a prior article: I've lost the password to my Windows Administrator account, how do I get it back?.)
-
Then I'd force the machine to reboot - turning it off if necessary - and booting into that tool.
-
I'd reset the administrator password.
-
I'd reboot the machine and login as administrator.
-
I'd then have total access to anything on the machine.
Yes, it really is that easy, and is exactly why I so often repeat:
If it's not physically secure, it's not secure.
I'm sure that there are other approaches as well, it's just one example of a virtual bolt cutter I happen to know works well.
So, what to do?
Locking your computer is not a bad idea. As I said, it'll keep honest people honest, and also keep out those who are less technically competent (i.e. those that don't know how easy it is to get in).
And it's possible that in doing so, along with traditional security like not leaving your computer unattended in public places, that it might be enough. Knowing how easy it is for someone to get it, though, that's a judgment call you'll have to make based on the importance and privacy of what's on your computer and the real likelihood that anyone would actually care enough to try and break in.
If you feel you need more security than that, then:
-
Never, ever let anyone use or borrow your computer.
-
Never, ever leave your computer somewhere where it can be accessed by someone else - running or not, locked or not.
-
Strongly consider using encryption to keep your data secure, and only decrypting as needed or making sure to turn on auto-dismount options in tools like TrueCrypt.
-
Always use a strong password.
Sadly it's all too easy to walk up to a computer and access everything there is on it. Particularly for laptops, which can of course be easily lost or stolen, there's a real concern about data loss and data privacy.
Its important you understand the risks, and take steps appropriate to your situation to protect yourself.
Article C4013 - January 1, 2010
@Tom R
Absolutely WRONG. The world's best super computers can crack AES in a couple of days. You and I don't need to worry about that because they are mostly used by scientists for research or government agencies to process certain data. However, for the average Joe Bloggs on the street with a Quad-Core 2.6 Ghz it will indeed take not only years, but decades to crack the encryption. Also, AES is strongest when the longest possible password is used, which would mean a 256 character password. Most people's password's are probably less than 64 characters and therefore, there is a reduction in the strength offered by the encryption.
Posted by: Pookey at January 5, 2010 9:36 PMI think that is a little overkill. If someone did that the user would notice that the PC had been hacked because it would no longer be logged in to his account when he arrives to his PC...
I think that for a normal working situation, like an office or college locking your PC with a good password is safe enough. I believe there is no way to get into someones account (without knowing his pwd or an admin pwd) and leave it un-noticeable...
07-Jan-2010
Posted by: Pedro at January 6, 2010 9:45 AM
Just wanted to add a little note concerning Gmail. As of January, 2010 Gmail is sent via HTTPS: (encrypted) as opposed to HTTP: that was previously used.
Posted by: Dave Markley at January 18, 2010 2:45 PMAdditional information for Tom R. (and others!):
1. TrueCrypt doesn't "just" use AES. It can be configured (if desired) to use THREE ciphers in series -- AES, Twofish, and Serpent -- either in that order, or in the reverse order. Other combinations of these are also possible.
2. Leo is correct about using a passphrase, rather than a password. Ideally, your passphrase should have these eight (8) characteristics:
1. Uppercase letters.
2. Lowercase letters.
3. Numbers.
4. Punctuation (e.g., ",:;-?! and so forth).
5. Symbols (e.g., @#$&*+ and so forth).
6. Spaces (use your spacebar!).
7. Respelling (no word anywhere in your passphrase should be findable in any dictionary -- say "kwean", not "queen"!).
8. A long length (15 characters or longer, and the longer the better).
Hope this helps!
Posted by: Glenn P. at January 23, 2010 7:44 PMre:
"I think that for a normal working situation, like an office or college locking your PC with a good password is safe enough. I believe there is no way to get into someones account (without knowing his pwd or an admin pwd) and leave it un-noticeable..."
_ _ _ _ _ _ _ _ _
I had a laugh with one of the admin. assistants at one of the bosses where I work,
it seems that all the PC's on the domain are accessible by me from my work station as long as they are turned on and connected to the network,
if I browse "my network places"
find the machine I want to look at
then use the administrative share for the root of the system drive of said machine,
I can look at any & everything on the machine, including their "Documents" folder, "Desktop", "Temporary Internet Files" etc.
I dropped a text file onto one of the bosses Desktop:
HiBoss.txt
It seems that internal network security is as necessary as physical security of the machine
I don't believe anyone here has set their "my documents" folder to Private as they've all been redirected to the server for the nightly backups
Posted by: Eicar Test Code at January 25, 2010 2:26 AMas well as that's the primary share point for sharing files
so I haven't had the opportunity to attempt to access a "Private" "My Documents" using this method of "administrative access".