The short answer is yes, absolutely. I think you’re right to be concerned.
I also think there’s an exceptionally important lesson here for everyone.
I want to make sure that everyone is aware of one rule of thumb. In fact, if you remember only one thing from this article, let it be this:
If your computer not physically secure, it’s not secure.
If someone can physically access your computer, then your computer is not secure.
“What about passwords?” I hear you asking. I’m glad you raised the issue…
Password locks only go so far
You indicated that the computers are “…usually password locked.” I’m assuming that by password locked you mean that either you are not logged in to the machine or a password protected screen saver is running.
First, usually? That all by itself itself is a wide open door. If you’re away from the machine for any length of time while you are logged in, the door is wide open. Anyone can walk up to your computer and do whatever they want, including downloading spyware or doing much worse.
However, things are actually worse than you might imagine. Even when your computer is “locked” using a Windows login or screen-saver password, it’s still very vulnerable.
Think about it. Anyone walking by your machine with a boot disc or bootable USB drive could reboot the machine (by pulling the plug, if necessary), boot from their disc, and get access to everything on your machine.
And just like leaving it unlocked in the first place, that person can also do anything, including installing spyware, reading your data, messing up your files, and doing whatever else they want.
In a more destructive scenario, someone could remove the hard drive or even steal the entire machine. That would be obvious to you, but if you had something that you thought was safe and secure on that hard disk, it could easily end up in the hands of thieves.
Staying physically secure
If scenarios like this concern you, there are steps that I would consider taking:
- Keep the machine in a locked cabinet or room when not in use.
- Consider adding a BIOS password that’s required to boot the machine in any way. (But this is often still vulnerable to hard-disk theft.)
- Consider adding a hard-disk password or using whole-disk encryption that restricts access to the hard drive completely unless the passphrase is specified.
- Use encryption of some sort on your sensitive data.
In your case specifically, I’d get more trustworthy roommates.