Automatically logging into your Windows PC opens a security hole. When you enable automatic logins, your Windows account password is stored on your PC where any program with administrator access can access it.
If you use a Microsoft account to log in — or reuse an important password you also use for your email or other important accounts — you should stay away from the automatic login feature.
The absolute worst way to enable automatic logins is with the old registry hack. This involves setting several values under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ key in the registry.
You enable AutoAdminLogon, and enter values for DefaultUserName, DefaultPassword, and DefaultDomain. That’s right — you literally enter your Windows password in plaintext into the registry, where it’s stored. Any program on your computer with access to this section of the registry can easily find it.
You can have your computer automatically log in each time it boots. This requires using a hidden user accounts tool, named netplwiz, which isn’t accessible through the normal Control Panel.
When you use this tool, you have to enter a username and its Windows account password. After you do, Windows will automatically sign into that account when you boot your computer.
When you use this method, Windows doesn’t actually store your password in plaintext in the registry, so that’s an improvement. Instead, it stores the password as an “LSA Secret.” This does provide some additional security, as it’s at least not stored in plaintext — a program that wouldn’t access would have to do a bit more work. The SysInternals Autologon utility also saves your password as an LSA secret.
But these are easy to decrypt if a program has administrator access — after all, Windows needs access to them. For example, NirSoft’s LSASecretsView utility will display all of the LSA secrets on your computer, including a saved Windows autologin password.
Whether this matters to you depends on how valuable that password is. If you have a home PC with a weak password like “password” and you really don’t care who logs into it, this is probably fine. Yes, programs on your computer can see that your password is “password” and so could anyone who sits down at the computer, but they can’t do anything else besides use that computer.
if you’re setting up a Windows PC as a kiosk and don’t want to worry about logging in, this is also fine as long as you realize that any password you use here isn’t a secret.
The problem is that many people will use valuable passwords for their Windows login accounts. You shouldn’t reuse passwords, but many people probably use the same password for their Windows 7 account as they do for their email account or other important online accounts. Placing it on your computer where any program or anyone with access could snoop on it is a mistake.
Even more concerning, modern versions of Windows — Windows 8, 8.1, and 10 — all use Microsoft accounts by default. If you log in with a Microsoft account and enable automatic logins, you’ve now saved the password to your Microsoft account on your PC where programs and people with access to your PC can get at it. They can then use that password to access your Outlook.com email, OneDrive files, and anything else your Microsoft account password provides access to.
Windows 8, 8.1, and 10 offer easier ways to log into your computer, saving you from typing that long password every time you boot. You could set up a PIN — a short numerical code you can type in to log in. You can also use a picture password, or log into your PC via a webcam or fingerprint sensor using Windows Hello on some Windows 10 laptops.
Modern computers should also boot quickly, so you shouldn’t have to sit around waiting for your desktop to become usable while various programs automatically load. If your computer takes a long time to boot, trim down its startup programs and consider upgrading to a computer with a solid-state drive.
If you really do want to automatically log in, you might as well set it to a weak password you don’t use elsewhere, not a strong password that you reuse anywhere else. Don’t use a Microsoft account to log in, either — use a local user account. As long as you don’t use that password for anything else, there’s no big risk.