Helping people with computers... one answer at a time.
Your Windows password actually gives you less security than you might think, but there are scenarios where a strong Windows password is important.
We know the importance of strong passwords for online access to bank accounts, PayPal, email, Facebook, etc, but what about the Windows login password? If there's no concern about someone with physical access to the computer's keyboard gaining unwanted access, is it still advised to use a complex password with a mix of upper/lower-case, alphanumeric, and special characters versus something simple that can be typed quickly? In other words, how does a complex Windows password prevent a remote hacker from accessing my PC, assuming that I have all other defenses in place (i.e., firewall, antivirus suite, etc.)?
It's an interesting question because the answer can vary so dramatically.
There are scenarios where it's very important to make sure that your Windows password is indeed what we would normally consider to be a "strong" password.
However, there are other scenarios where it might actually make sense to have no password at all.
I'll discuss what's probably the most important consideration when setting up your Windows login password.
You should never consider your Windows password to be a form of absolute security.
In other words, with sufficient access (which I'll define in a moment), there are many ways that the Windows login password can be bypassed - no matter how secure the password that you happen to be using is.
I think of a password like a padlock; it keeps honest people honest, but anyone with a sufficiently strong bolt-cutter can break it.
That's not to say that it has no value - it absolutely does. But its greatest value is as one part of your overall approach to security.
You should simply realize that it's not appropriate to think of it as your only security.
You've identified what is perhaps the most important and most overlooked aspect of the security on your Windows machine: access.
There are two types of access that play a part here:
Remote Access - The ability to access your PC remotely might be an important part of how you use your computer. How that remote access is set up plays an important role in your security and has important implications in regards to your Windows password.
Physical Access - This type of access is what most people overlook. As I've stated before, if it's not physically secure, it's not secure. This also has implications in regards to your Windows password, but not the ones that perhaps you might expect.
Let's look at each in a little more detail.
The most common type of remote access is using Windows' own Remote Desktop utility, but the issues here apply regardless of the actual technology that you might use.
If your computer can be accessed directly over the internet (for instance, perhaps you've opened a port on your router to allow remote desktop), your password must be secure: as secure as you can stand, as a matter of fact.
The issue here is this: When your machine is directly accessible from the internet, hackers can and will try to gain access to your machine using a common protocol or technology. They may perform fairly constant probes or even mount so-called "dictionary attacks". It may not matter that the attack might be slow and ponderous - if it succeeds in a week or a month or a year, the hacker's in.
And yes, they're patient. In fact, this is one use of bot nets - to automate these types of attack and report back when access has eventually been gained.
In addition to a strong password, you should consider additional types of security as well, including turning off remote access for administrative login accounts or any account that doesn't need it.
Another approach is to block all forms of direct remote access at your router or firewall. Instead, you might use a virtual private network (VPN) solution to implement what amounts to a more indirect route. To gain remote access to your computer using a VPN, three things are required:
Needless to say, the password that you use as part of your VPN connection must be appropriately secure.
If someone has physical access to your machine, it really doesn't matter what your password is.
A good password, like the padlock that I mentioned before, will keep honest people out; to someone who's intent on gaining access to the contents of your machine, your password is a minor annoyance if they have the machine in front of them.
If the machine can be rebooted from a CD, then the hacker could easily insert a different operating system disc or insert a password reset utility and be in your machine in a matter of minutes.
Of course, in the absolute worst-case scenario, they could remove the hard drive and access it using an entirely different machine.
If this is a serious issue, then you need to be looking at BIOS passwords, encrypting hard disks, or using some other form of encryption for your sensitive data.
If you're the only person who accesses your machine, you completely trust everyone who could come into contact with it, and you never use remote access, then it's probably safe to choose a password that's easy to type/remember - or even have no password at all. I'd advise making sure that any sensitive data on your computer was encrypted to protect it from physical theft or malware.
If you use remote access in any form, make sure that your Windows password is strong - particularly if your machine can be accessed directly over the internet.
If your machine might be accessed by someone who is technically astute and may have malicious or even "aggressively curious" tendencies (for some reason, teenage siblings come to mind), then put a strong password in place. This may slow them down or perhaps dissuade them from more aggressive techniques. Then, encrypt what you care about the most, just in case they do resort to those more powerful invasion tools.
And if, like most of us, you use your computer in an environment where the people with physical access are mostly trustworthy, but you don't want to be reckless, choose a good password. It should be good, but it doesn't have to be super strong. It'll keep them honest and help you sleep at night.
And, as I said above, consider encrypting your sensitive data in case of theft - either physical or otherwise.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.