So you’ve set a password on your Windows laptop or desktop, and you always sign out or lock the screen when you leave it alone. This still won’t protect your data if your computer is ever stolen.
A Windows password helps keep honest people honest, protecting your computer from casual unauthorized access. If an attacker gains physical access to your computer, all bets are off and a Windows password won’t help much.
A Windows password just prevents someone from logging into your user account if they’re sitting at your computer’s keyboard. If all they have is a keyboard — for example, let’s say they’re using a desktop tower computer where the tower is physically locked up tight and all they have is the keyboard and mouse — they aren’t getting in.
However, all bets are off once they have physical access to your computer. For example, if they have the ability to restart the computer, they can insert a Linux live CD or even a Windows To Go USB drive. They can then boot from this device and access your files from the live environment.
This is only possible if the computer’s BIOS is set to boot from removable devices. However, it’s generally set this way by default. Even if it’s not set to boot from removable devices, the computer thief can go into your BIOS and then enable booting from removable devices. This can be prevented by setting a BIOS password, but few users do this.
Even if you were to lock down your BIOS, preventing it from booting removable devices and setting a BIOS password, this wouldn’t protect your data. The thief could open the laptop (or desktop), remove the hard drive, and insert it into another computer. They can then access your personal data. (If they had physical access to the inside of your computer, they could probably also reset your BIOS settings and bypass your BIOS password.)
Once an attacker can boot from a removable device, they could even reset your Windows password if they wanted to. They don’t need any special hacker tools to do this — you can quickly reset a Windows password with a Windows installer disc, reset a Windows password from a Ubuntu live CD, or use one of the many tools designed for this purpose, such as the Offline Windows Password Editor.
A Windows password isn’t completely useless. Like the locks on the doors of our houses, they help keep honest people honest. If someone in your workplace or at your home wants to turn on your computer and snoop around, a password will get in their way.
If a thief only wants your laptop for its hardware, not your personal data, the password will get in their way and prevent a less-knowledgeable thief from accessing your personal data.
However, if someone really wants to get your personal data and they’re willing to boot into another operating system or open up your computer and remove its hard drive, the Windows password isn’t going to help.
Of course, if you can physically lock down a computer — picture a desktop tower locked in a cage with only keyboard, mouse, and monitor cables emerging from it — a Windows password will prevent people from mucking with that computer.
If you really want to protect your data, you shouldn’t only rely on a Windows password. You should use encryption. When you use encryption, your files are stored on your hard drive in a seemingly scrambled form. When you boot your computer, you’ll have to enter its encryption passphrase. This makes the files accessible.
If a thief steals your computer and reboots it into another operating system or removes its hard drive and plugs it into another computer, the encryption will prevent them from understanding the data on your hard drive. It will appear as scrambled, random nonsense unless they know your encryption passphrase.
Now, encryption does result in some amount of performance penalty. If all you use your laptop for is Facebook and YouTube, you probably don’t need to encrypt your hard drive. However, if you have sensitive financial or business documents, you’ll want to use encryption to protect your data, whether you’re using a laptop or desktop.
Want to use encryption? If you have a Professional edition of Windows, you can use BitLocker to encrypt your hard drive. However, you don’t need a Professional edition of Windows to use encryption. Just install the free and open-source TrueCrypt. When you use this software, you’ll have to enter your encryption password each time your computer boots. You could also set it up to store your important files in an encrypted container, leaving the rest of your computer unencrypted. The encrypted container would still protect the important files you store in it.
Of course, a Windows password is still useful. For example, if you don’t use a Windows password but you do use encryption, and your laptop is stolen while it’s powered on, the attacker will be able to open up the laptop and access your data. The computer is already running, so they have access. If the laptop was sitting at a lock screen and they required a password to log in, they’d have to restart the computer to try to gain access and, in doing so, they would lock themselves out because the computer forgets it encryption key when it powers off.
Of course, nothing is perfect, and the freezer attack can be used against computers with encryption if they’re powered on. However, this is a very advanced technique and you shouldn’t need to worry about it to too much unless you’re worried about serious government or corporate espionage.
Image Credit: Florian on Flickr