Helping people with computers... one answer at a time.

A Windows login password can be a minor inconvenience that can be disabled. Unfortunately, not having a Windows password does increase risk, even if you think there's nothing of importance on your machine.

I have nothing on my machine that is personal, revealing, or that I would be particularly concerned for anyone else knowing. Is there a valid, serious reason to use a password? My machine is live and open to the internet 24/7. Am I putting myself or my data in any jeopardy?

Possibly, maybe.

There are two issues that factor into this.

One: how likely it is that someone will access your machine in a way that a password would have stopped them.

Two: how much personal information is really on the machine, and whether you'd care if it were stolen or made public.

Only one of those two is really under your control, and even then, only if you've really thought it through.

There's more on your machine than you think

I believe that if you took a close inventory of everything on your machine - everything from your browsing history to the emails you send and receive to the programs you run to the documents you open and the pictures you view - you'd be surprised at how much information about you is on your machine.

"It's possible that remnants of everything you've ever used that computer for are present and available to someone who knows where to look."

Think about it.

It's possible that remnants of everything you've ever used that computer for are present and available to someone who knows where to look.

I'm not talking about malicious software, I'm just talking the information that accumulates or remains when using the computer normally. Things like deleted files, document and web history, the browser cache, and system and software logs are all potential sources of information that may be present on your computer as a side effect of simple, everyday use.

And then, of course, there are your files: everything from emails to documents to photographs to whatever else you have there.

I'm guessing that there's something on your computer that would make you at least uncomfortable if made public or stolen.

We're not that interesting, but...

One of my common statements to people concerned about tracking is "You're just not that interesting."

By that, I mean that the chances that some person or some industry is tracking or targeting you specifically is incredibly low; so low that in most cases, it's not worth worrying about.

But that doesn't mean you can stop worrying completely.

  • Malware doesn't target you specifically ... it targets anyone who's not protected.

  • Identity thieves don't target you specifically ... they'll happily take the identity of anyone that they can.

  • Burglars don't target you specifically ... they'll break into and steal from anyone, from whichever home or resource they find unprotected.

You still want to make sure that the "anyone" isn't you.

No matter how uninteresting you may be.

The under-estimated risk: impersonation

In my opinion, the real risk that most people neglect to think about is impersonation.

It's easy to think about the files that you keep on your folder and not really care about documents or photos getting into the hands of a stranger. And that's often a pretty fair assessment, as it really does come back to the fact that in general, we're just not that interesting as individuals and we do (for the most part) have a sense for the relative risks associated with what we have.

It's all that other information that I mentioned above that we might not realize is being kept that makes things less obvious.

For example, it might be possible to login to one of your online accounts as you with information scavenged from your computer.

That's a whole different scenario. Now, someone can pretend to be you and start scamming your friends and contacts (information also scavenged from your machine or from the online accounts that they're able to access).

Or worse, you could become a victim of identity theft.

What you do control

You don't control the information that's stored on your machine as you use it (at least not in any absolute sense) and certainly not in any simple or easy-to-adjust sense.

However you can control access to the machine.

There are several ways:

  • Physical Access: This is one that a lot of people take for granted, until their computer is stolen. Most of us believe that our computers at home are fairly physically secure and immune from random people walking up and using the machine. That's often fairly true, but also often not absolute - especially in the face of burglary. Another of my frequent statements is "If it's not physically secure, it's not secure".

  • Remote Access: By and large, most machine's default configuration disables remote access and most remote access solutions require some kind of password, but these are something important to at least consider if used.

  • Malicious Access: Malware is something we control to a point. By that, I mean that it's something that we, by virtue of understanding how to stay safe on the internet, control through the use of appropriate counter-measures, such as firewalls and anti-malware software, as well as our own behavior.

The degree to which you feel comfortable not password-protecting your machine should be a function of how well you've protected yourself from those scenarios in other ways.

Machine passwords are not absolute, by any means. Anyone with physical access and a little bit of knowledge can reset the administrator password on a Windows machine. Once it reaches your machine, malware is often (although not always) past the point of needing a password.

But a password on your Windows machine can provide an important roadblock keeping many intruders at bay.

What I do

My desktop machine has no password. Reboot and it logs in as me.

Now, before you go calling me a hypocrite, I will point out that this was not a decision made lightly. I have considered all the ramifications for the access scenarios that I've listed above.

  • Physical: While I suppose that I'm at some risk for burglary like anyone (although the dogs and the alarm system may have something to say about that Smile), very few people wander through my home and fewer still my office.

  • Remote: I do run Remote Access software and have taken steps to ensure that not only is my firewall set up properly, but the Remote Access software itself is set securely and requires a password to actually grant access.

  • Malicious: Given how often I write about it and think about it, I'm almost required to be the "poster boy" for staying safe online. Anti-malware tools running and good online behavior is the order of the day.

There's one additional step that I've taken that adds a layer of security to my setup.

TrueCrypt

Reboot my machine and the vast majority of what I consider my important data is still not accessible. In order to access the most sensitive data, a thief would need to enter not just a password, but a pass phrase.

Finally, my laptop - the machine I actually take with me when I travel and stand the highest probability of losing - is password protected.

And TrueCrypt protected as well.

If the risk of theft is high and particularly if the cost of theft is high, you might consider something similar or go even further with whole-disk encryption and/ora BIOS password.

Article C6033 - November 15, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

10 Comments
Natalie J.
November 16, 2012 10:51 AM

When I first jumped from Millennium Windows with no access to the Internet to a Windows 7 and a router allowing Internet access, I had a quantum leap to go in terms of thinking about the security of my documents. Like the author of the article, I have "nothing to hide." My wakeup call came with discovering the "Index" feature in Windows 7. In My Documents and Windows Explorer, there's a small white search slit in the upper right corner of the screen. All I see written on there now is "Searc." The idea is that if you forget where a file is located, you try to remember a word or phrase from what you once gave it as a filename, or a word or phrase that you think is in the document itself and key it into the slit. Any hackers using this feature on your machine remotely or having stolen your computer can key in things like "taxes" or "bank" or "Social Security," or "Letters," "Addresses," etc. In each case every filename and every document that contains the word will instantly come up on the screen. In List View, I look through the list, generally find the document, and click on the filename to open it up. So can the hackers. Suppose they go to "Letters" and you have a template letterhead that includes your name and address that is thus plastered on every letter you wrote, unless you erased it before a final save. You just gave the identity thieves that information. The indexing feature is a wonderful tool in your hands but not in those of the net crooks. Suppose you had a letter explaining the dates of your upcoming trip. This is a nice tipoff to a thief who might come to your home while you are away. I'm much more careful today about naming folders although I'm not changing words in documents themselves. If I were you, I'd get a good 12 or more character password. The Leo Archives has plenty on this subject. Do everything you can to stay out of the attention of the bad guys. Yes, it is a lot easier to turn on your computer and have it instantly ready to go, but besides other passwords I use, I make sure I have a password that I require of myself to get into my machine after it has been turned on. Sometimes "friends" and co-workers can operate your computer when you are in another room or gone for a few hours. Some people are just nosy. Others do it with evil intent. In any case, passwords would have stopped them. Otherwise, you leave yourself wide open to potentially nasty repercussions.

Peter Brooks
November 16, 2012 11:14 AM

The biggest concern, IMHO, hasn't been mentioned. If your system is connected to the Internet and is easy to get into, the possibility exists that someone may try to use it remotely for their own purposes (i.e., make it part of a "bot net" - check out the definition on Wikipedia).

Unknown to you, your machine could be used to host phishing sites, send spam, be set up for use for drive-bys, participate in a DDoS (distributed denial of service attack) - the list is endless.

Now usually the guys with black hats tend to go for the higher traffic systems such as high end servers used to host websites, ftp sites and so on, but ordinary PCs will serve just as well, especially when used in conjunction with tens of thousands of other compromised machines just like your humble and unassuming home computer.

The harder it is to get into your system, the better - even if it causes you some inconvenience.

John Nightingale
November 16, 2012 2:53 PM

I would be most worried that someone else sets up a password, then I can't get in.

Kevin
November 17, 2012 3:18 AM

Surely the answer is that some users do need a strong Windows login password and others perhaps none at all.
Myself, although Laptop is usually in my bedroom do keep a short simple one on at all times. But when I travel do change it to a longer and far more complicated one.
In general do feel that many users think that the Windows login password does give their comp. some magical protection, and I suppose in some ways it does, as it would normally be a human who would be trying to break it. But do feel that they should put more effort into their Internet passwords.
Only other point that comes to mind is that although I am aware of how to reset Windows login Password (Thanks to your good self), this is not all that easy for the normal user (Indeed most have no idea it can be done), ergo most should have a reasonably strong password set up and that this should be changed reasonable often, certainly on every occasion the password is revealed (for whatever reason) to someone else.

BaliRob
November 17, 2012 7:56 PM

Did I miss something - what about possible links to monetary info and the user's contact list? If not used for email - what is the machine being used for?

Rob
November 19, 2012 8:04 AM

Don't you need a Windows password if you intend on using certain features such as scheduling tasks in the Task Manager? Seems to me that I had to add a password to my account in order to create scheduled Windows tasks?

That's correct. Remote Desktop comes to mind as another feature that requires you have an account password. Many people configure their machines to login automatically even when it has a password, though, raising many of the same issues as the article.
Leo
18-Nov-2012

BAW30s
November 20, 2012 8:37 AM

Like Leo, I don't bother with a password (except when going away), but then I live alone and so no-one can access my computer without stealing it. If it were stolen, I would have to treat the data as compromised even if it were protected, as a password can be cracked or circumvented fairly easily.

If you do use a password, make sure you don't lose it, as the cracking procedure, particularly on Windows 7, does the operating system no good at all: having helped out a friend once, I know!

K.Vee.Shanker.
November 20, 2012 10:58 PM

People do not think about the possibilities of identity theft! I was also naively believing in this 'I don't have anything worthwhile to protect/hide theory'. Normal people always think on simple and direct possibilities. But, criminals go deep and dig out all possibilities. While we have no interest in immoral activities, they don't have any qualms in doing them.

A stolen identity can be used for spam and scam. It can also be used as unintended agent of money laundering, messaging, who knows even for terrorist activities.

Put it simply, we are careless in anything because of two things. We don't know the possibilities, and even if we get to know them , we believe that it won't happen to us!

Elwood Jones
November 21, 2012 12:03 AM

What about Android Tablets? Is there a way to password protect them? I know that's way off topic but I'm curious and concerned.

Mark J
November 21, 2012 3:57 AM

@Elwood
I have my Android phone password protected. I consider that more important than protecting my computer because it's much easier to be lost or stolen. Unfortunately, I don't know how secure this password protection is.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.