Helping people with computers... one answer at a time.

Your Windows password actually gives you less security than you might think, but there are scenarios where a strong Windows password is important.

We know the importance of strong passwords for online access to bank accounts, PayPal, email, Facebook, etc, but what about the Windows login password? If there's no concern about someone with physical access to the computer's keyboard gaining unwanted access, is it still advised to use a complex password with a mix of upper/lower-case, alphanumeric, and special characters versus something simple that can be typed quickly? In other words, how does a complex Windows password prevent a remote hacker from accessing my PC, assuming that I have all other defenses in place (i.e., firewall, antivirus suite, etc.)?

It's an interesting question because the answer can vary so dramatically.

There are scenarios where it's very important to make sure that your Windows password is indeed what we would normally consider to be a "strong" password.

However, there are other scenarios where it might actually make sense to have no password at all.

I'll discuss what's probably the most important consideration when setting up your Windows login password.

What your Windows password is NOT

You should never consider your Windows password to be a form of absolute security.

In other words, with sufficient access (which I'll define in a moment), there are many ways that the Windows login password can be bypassed - no matter how secure the password that you happen to be using is.

I think of a password like a padlock; it keeps honest people honest, but anyone with a sufficiently strong bolt-cutter can break it.

"If someone has physical access to your machine, it really doesn't matter what your password is."

That's not to say that it has no value - it absolutely does. But its greatest value is as one part of your overall approach to security.

You should simply realize that it's not appropriate to think of it as your only security.

It's all about access

You've identified what is perhaps the most important and most overlooked aspect of the security on your Windows machine: access.

There are two types of access that play a part here:

  • Remote Access - The ability to access your PC remotely might be an important part of how you use your computer. How that remote access is set up plays an important role in your security and has important implications in regards to your Windows password.

  • Physical Access - This type of access is what most people overlook. As I've stated before, if it's not physically secure, it's not secure. This also has implications in regards to your Windows password, but not the ones that perhaps you might expect.

Let's look at each in a little more detail.

Remote Access

The most common type of remote access is using Windows' own Remote Desktop utility, but the issues here apply regardless of the actual technology that you might use.

If your computer can be accessed directly over the internet (for instance, perhaps you've opened a port on your router to allow remote desktop), your password must be secure: as secure as you can stand, as a matter of fact.

The issue here is this: When your machine is directly accessible from the internet, hackers can and will try to gain access to your machine using a common protocol or technology. They may perform fairly constant probes or even mount so-called "dictionary attacks". It may not matter that the attack might be slow and ponderous - if it succeeds in a week or a month or a year, the hacker's in.

And yes, they're patient. In fact, this is one use of bot nets - to automate these types of attack and report back when access has eventually been gained.

In addition to a strong password, you should consider additional types of security as well, including turning off remote access for administrative login accounts or any account that doesn't need it.

Another approach is to block all forms of direct remote access at your router or firewall. Instead, you might use a virtual private network (VPN) solution to implement what amounts to a more indirect route. To gain remote access to your computer using a VPN, three things are required:

  • The computer that you want to connect to must itself already be connected to the VPN
  • You must be able to connect to and authenticate with the VPN
  • You must then be able to login to the remote computer
Using Hamachi as my VPN is the solution that I prefer.

Needless to say, the password that you use as part of your VPN connection must be appropriately secure.

Physical Access

If someone has physical access to your machine, it really doesn't matter what your password is.

Seriously.

A good password, like the padlock that I mentioned before, will keep honest people out; to someone who's intent on gaining access to the contents of your machine, your password is a minor annoyance if they have the machine in front of them.

If the machine can be rebooted from a CD, then the hacker could easily insert a different operating system disc or insert a password reset utility and be in your machine in a matter of minutes.

Of course, in the absolute worst-case scenario, they could remove the hard drive and access it using an entirely different machine.

If this is a serious issue, then you need to be looking at BIOS passwords, encrypting hard disks, or using some other form of encryption for your sensitive data.

Some guidelines

If you're the only person who accesses your machine, you completely trust everyone who could come into contact with it, and you never use remote access, then it's probably safe to choose a password that's easy to type/remember - or even have no password at all. I'd advise making sure that any sensitive data on your computer was encrypted to protect it from physical theft or malware.

If you use remote access in any form, make sure that your Windows password is strong - particularly if your machine can be accessed directly over the internet.

If your machine might be accessed by someone who is technically astute and may have malicious or even "aggressively curious" tendencies (for some reason, teenage siblings come to mind), then put a strong password in place. This may slow them down or perhaps dissuade them from more aggressive techniques. Then, encrypt what you care about the most, just in case they do resort to those more powerful invasion tools.

And if, like most of us, you use your computer in an environment where the people with physical access are mostly trustworthy, but you don't want to be reckless, choose a good password. It should be good, but it doesn't have to be super strong. It'll keep them honest and help you sleep at night.

And, as I said above, consider encrypting your sensitive data in case of theft - either physical or otherwise.

Article C4819 - May 14, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

11 Comments
Mark J
May 15, 2011 6:05 AM

Another word of warning. This password should be unique and not used for other access such as emails or banking. If someone boots your computer from an OPH crack disk, they'll be able to get your actual password, and if that password is used for anything other than logging on to windows they'll have access to anything else you use that password for in under 20 minutes.

Audrey
May 17, 2011 8:35 AM

If someone else at the office has set up a remote access for her computer, and my computer is linked to the same server, can someone access my computer through her computer?

Mark J
May 17, 2011 10:46 AM

@Audrey
It depends on whether your computer can be accessed by your colleague's computer or not. If your colleague can access files on your computer through hers then someone with remote access to her computer would also have access to those fies, if not than they couldn't access your files remotely.

Glenn P.
May 17, 2011 12:04 PM

I actually have a sorta unique (?) problem.

There are two users on our system -- my Mom, and I. I am computer literate; my Mom, on the other hand, couldn't tell a folder from a filename (all the same to her!) from a filesystem from a file manager. When my Mom (inevitably) yelps for help, I answer her call.

Because it is conceivable that I might die one day and she might need access to "my" side of the computer (i.e., to my user account) I've intentionally set a weak password. It's one she'd never be able to guess, but it's only five lowercase letters long -- easily "hackable" -- because she might need to hire someone to "hack" for her it someday, and I don't want to give him too much trouble (and her too much expense-by-the-hour!). Meanwhile, I naturally keep all my sensitive files carefully encrypted -- with AES or Blowfish or a similarly secure algorithm -- and a nice, tight, secure, hack-resistant password.          :)

Bill G
May 17, 2011 1:59 PM

Just a word of caution on BIOS passwords lest it be misunderstood as it is mentioned above in the context of accessing the hard drive. The BIOS password only protects the basic machine and not the hard drive. The hard drive can still be removed and the data accessed on a different machine. Only disk encryption adequately protects the data on the disk.

Dan
May 17, 2011 6:21 PM

Glenn, I have reservations about your plan....you are going to make your non-computer-literate mom pay somebody to hack your password? I doubt she will do that unless you tell her in advance to do so. She probably doesn't even know that is possible, and if she tries it, she will get taken advantage of on the pricing. As it stands, if something happens to you, your account, and its possibly important files, will die along with you because she will assume the only thing important on your account are your tax returns and that last manifesto you sent to the Times (ha, just kidding).

Maybe you should put the stuff you want her to find on a CD or unencrypted flash drive and put it in your safe deposit box. When she finds it, at least she will be alerted that you have some important files that she needs to review. Then, if necessary, she can enlist a trusted computer literate friend or relative to help.

Or, you could encrypt the files you NEVER want her to see, and tell her your Windows password for just-in-case. Computer illiterates will never mess with your account just for noseyness.

Austin A.
May 17, 2011 10:56 PM

You mentioned VPN, remote access and Hamachi. I tried the Hamachi web site and it's less than helpful. I installed the software and there's no help. I thought I could start a network through it, do the same on another computer, and bingo!. It's obviously not so easy. I once tried Windows 7's Remote Access but couldn't figure out how to set up my router. I'm in Singapore and my wife is soon to return to Australia and will undoubtedly need remote help. I thought I was pretty computer literate but router stuff is clearly beyond me. Can you give some pointers to the easiest way of setting up secure remote desktop access for assistance purposes?

Mike Richardson
May 18, 2011 10:20 AM

@Austin A, try teamviewer.com. It's free for personal use and works perfectly for remote support.

Robert Byrne
May 27, 2011 9:04 AM

Sounds good.Where,on line,can you test the strength of various pass words?
This might shock some and provide peace of mind to others.In most cases ,I fear it would put most of us to work in creating stronger passwords.
Thanks for the article.
Best regards
Robert Byrne

Mark J
May 27, 2011 11:53 AM

I'd be leery of an online password checker. It could be a trap to get your passwords.

Constantine
July 29, 2011 12:45 PM

I would like to add in regards to remote access that an additional security measure is to use port knocking, preferably using a daemon that uses each knock sequence once.

For example, in one of my machines I have Linux and use knockd to open the ports and start the ssh daemon. After the port is opened, I use ssh with keyfile,instead of password authentication and have the file in an encrypted container within another encrypted container.

Of course, such an approach assumes access to at least one machine that has a public static IP.

To give an example of how to gain access to a machine that is under NAT, using a remote-access server-client program, such as Teamviewer, without having all your data exposed, you can ran one chrooted instance that will have a just enough access to write a file in a directory. A daemon running in the background would poll at regular intervals and once the file is detected would start a full-access instance. The file's contents can also come from a use-once pool.

I apologise for staying in a Linux approach, however I do not know of a way to have this work under windows.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.