Helping people with computers... one answer at a time.
A Windows login password can be a minor inconvenience that can be disabled. Unfortunately, not having a Windows password does increase risk, even if you think there's nothing of importance on your machine.
I have nothing on my machine that is personal, revealing, or that I would be particularly concerned for anyone else knowing. Is there a valid, serious reason to use a password? My machine is live and open to the internet 24/7. Am I putting myself or my data in any jeopardy?
There are two issues that factor into this.
One: how likely it is that someone will access your machine in a way that a password would have stopped them.
Two: how much personal information is really on the machine, and whether you'd care if it were stolen or made public.
Only one of those two is really under your control, and even then, only if you've really thought it through.
I believe that if you took a close inventory of everything on your machine - everything from your browsing history to the emails you send and receive to the programs you run to the documents you open and the pictures you view - you'd be surprised at how much information about you is on your machine.
Think about it.
It's possible that remnants of everything you've ever used that computer for are present and available to someone who knows where to look.
I'm not talking about malicious software, I'm just talking the information that accumulates or remains when using the computer normally. Things like deleted files, document and web history, the browser cache, and system and software logs are all potential sources of information that may be present on your computer as a side effect of simple, everyday use.
And then, of course, there are your files: everything from emails to documents to photographs to whatever else you have there.
I'm guessing that there's something on your computer that would make you at least uncomfortable if made public or stolen.
One of my common statements to people concerned about tracking is "You're just not that interesting."
By that, I mean that the chances that some person or some industry is tracking or targeting you specifically is incredibly low; so low that in most cases, it's not worth worrying about.
But that doesn't mean you can stop worrying completely.
Malware doesn't target you specifically ... it targets anyone who's not protected.
Identity thieves don't target you specifically ... they'll happily take the identity of anyone that they can.
Burglars don't target you specifically ... they'll break into and steal from anyone, from whichever home or resource they find unprotected.
You still want to make sure that the "anyone" isn't you.
No matter how uninteresting you may be.
In my opinion, the real risk that most people neglect to think about is impersonation.
It's easy to think about the files that you keep on your folder and not really care about documents or photos getting into the hands of a stranger. And that's often a pretty fair assessment, as it really does come back to the fact that in general, we're just not that interesting as individuals and we do (for the most part) have a sense for the relative risks associated with what we have.
It's all that other information that I mentioned above that we might not realize is being kept that makes things less obvious.
For example, it might be possible to login to one of your online accounts as you with information scavenged from your computer.
That's a whole different scenario. Now, someone can pretend to be you and start scamming your friends and contacts (information also scavenged from your machine or from the online accounts that they're able to access).
Or worse, you could become a victim of identity theft.
You don't control the information that's stored on your machine as you use it (at least not in any absolute sense) and certainly not in any simple or easy-to-adjust sense.
However you can control access to the machine.
There are several ways:
Physical Access: This is one that a lot of people take for granted, until their computer is stolen. Most of us believe that our computers at home are fairly physically secure and immune from random people walking up and using the machine. That's often fairly true, but also often not absolute - especially in the face of burglary. Another of my frequent statements is "If it's not physically secure, it's not secure".
Remote Access: By and large, most machine's default configuration disables remote access and most remote access solutions require some kind of password, but these are something important to at least consider if used.
Malicious Access: Malware is something we control to a point. By that, I mean that it's something that we, by virtue of understanding how to stay safe on the internet, control through the use of appropriate counter-measures, such as firewalls and anti-malware software, as well as our own behavior.
The degree to which you feel comfortable not password-protecting your machine should be a function of how well you've protected yourself from those scenarios in other ways.
Machine passwords are not absolute, by any means. Anyone with physical access and a little bit of knowledge can reset the administrator password on a Windows machine. Once it reaches your machine, malware is often (although not always) past the point of needing a password.
But a password on your Windows machine can provide an important roadblock keeping many intruders at bay.
My desktop machine has no password. Reboot and it logs in as me.
Now, before you go calling me a hypocrite, I will point out that this was not a decision made lightly. I have considered all the ramifications for the access scenarios that I've listed above.
Physical: While I suppose that I'm at some risk for burglary like anyone (although the dogs and the alarm system may have something to say about that ), very few people wander through my home and fewer still my office.
Remote: I do run Remote Access software and have taken steps to ensure that not only is my firewall set up properly, but the Remote Access software itself is set securely and requires a password to actually grant access.
Malicious: Given how often I write about it and think about it, I'm almost required to be the "poster boy" for staying safe online. Anti-malware tools running and good online behavior is the order of the day.
There's one additional step that I've taken that adds a layer of security to my setup.
Reboot my machine and the vast majority of what I consider my important data is still not accessible. In order to access the most sensitive data, a thief would need to enter not just a password, but a pass phrase.
Finally, my laptop - the machine I actually take with me when I travel and stand the highest probability of losing - is password protected.
And TrueCrypt protected as well.
If the risk of theft is high and particularly if the cost of theft is high, you might consider something similar or go even further with whole-disk encryption and/ora BIOS password.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.