My college says to lock your computer - will that make it safe? For example
in Windows, pressing the Windows Key + L locks the computer. It seems to me if
you do lock it there are still a few folks know how to unlock it and help
themselves. So should I feel safe locking the computer?
Not really.
Of course it depends on the situation, but locking your computer is a very
mild form of security. It'll help keep honest people honest, but the rest? Not
so much.
I'll show you why and how and what you really need to be doing instead.
]]>
I liken locking your computer to putting a cheap padlock on a box or door. Most people don't care and won't take the trouble to try and defeat it. In that sense it's pretty cheap and reasonable security.
Unless, of course, someone really wants to get in.
All they need to do is walk up with a bolt cutter of sufficient size and cut the padlock off. It's very easy and quick - if you have the right tools.
The right tools to break into a locked laptop are not only easy, they're free.
You might think that guessing your password would be the way to go, since locking the machine requires that you enter your password to regain access. That's one approach, particularly if you have an easy to guess password. (It's kinda like picking that padlock above - if it's a really cheap padlock, or you're really good at picking, perhaps it'll work.)
I'd skip that step completely and bring out the equivalent of the bolt cutters right away. Here's what I'd do:
-
I'd get a copy of the Offline NT Password and Registry Editor (I've discussed it more in a prior article: I've lost the password to my Windows Administrator account, how do I get it back?.)
-
Then I'd force the machine to reboot - turning it off if necessary - and booting into that tool.
-
I'd reset the administrator password.
-
I'd reboot the machine and login as administrator.
-
I'd then have total access to anything on the machine.
Yes, it really is that easy, and is exactly why I so often repeat:
If it's not physically secure, it's not secure.
I'm sure that there are other approaches as well, it's just one example of a virtual bolt cutter I happen to know works well.
So, what to do?
Locking your computer is not a bad idea. As I said, it'll keep honest people honest, and also keep out those who are less technically competent (i.e. those that don't know how easy it is to get in).
And it's possible that in doing so, along with traditional security like not leaving your computer unattended in public places, that it might be enough. Knowing how easy it is for someone to get it, though, that's a judgment call you'll have to make based on the importance and privacy of what's on your computer and the real likelihood that anyone would actually care enough to try and break in.
If you feel you need more security than that, then:
-
Never, ever let anyone use or borrow your computer.
-
Never, ever leave your computer somewhere where it can be accessed by someone else - running or not, locked or not.
-
Strongly consider using encryption to keep your data secure, and only decrypting as needed or making sure to turn on auto-dismount options in tools like TrueCrypt.
-
Always use a strong password.
Sadly it's all too easy to walk up to a computer and access everything there is on it. Particularly for laptops, which can of course be easily lost or stolen, there's a real concern about data loss and data privacy.
Its important you understand the risks, and take steps appropriate to your situation to protect yourself.
Many computers have the ability to set a boot password, which will prevent (most) people from even getting to the point where they could boot from CD. Though, as you said, “If it’s not physically secure, it’s not secure“, since the computers all have some method of clearing that password. (Typically, this involves opening the computer and shorting two pins.) It’s the slightly-less-cheap padlock on the outside door that they need to get through before they can remove the other cheap padlock. :-)
Of course, if someone was that determined to get in, they’d probably just walk off with the entire computer. Not very subtle, but they’ll still have access to all the data on the computer.
I remember reading somewhere that once somebody has physical access to the computer (or at least the HDD), no encryption is good enough.
“I remember reading somewhere that once somebody has physical access to the computer (or at least the HDD), no encryption is good enough.”
Absolutely and completely untrue. The 256-bit AES encryption algorithm as a practicle matter is unbreakable for the foreseeable future. AES is so mathematically complex that today’s fastest supercomputers would have to work on the problem for many, many decades before they would be able to break it.
Physical access or not, AES (which TrueCrypt uses) will keep valuable personal information safe, as long as a strong password is used.
06-Jan-2010
quoted: I remember reading somewhere that once somebody has physical access to the computer (or at least the HDD), no encryption is good enough.
Posted by: Me at January 5, 2010 11:15 AM //
Maybe you read it in the article you commented on … the large bold print that says “If it’s not physically secure, it’s not secure”.
06-Jan-2010
Hello Leo, Find your site both informative & enjoyable.
Re Safe Lock Up of Your Computer.
Assuming my LT computer is stolen & unlocked by the thief.
If I store sensitive info within Gmail [like in ‘Gmail contact notes] & create a solid pw for my Gmail sign on. How secure would this be?
My laymans logic tells me that Google could not be hacked easily & even if a hacker did this, crunching a Google sign on pw would also be difficult for an external hacker?
I have coupled the above set up with a Nortons Identity pw on my computer which i assume will make it doubly difficult for a thief ever gets his hands on my LT & unlocks it.
He would have to crack both the Nortons + my Gmail Sign On pw’s to get amongst my sensitive stuff. Good Idea, or am I missing something?
I just back my Ho Hum files up on multi Flash Drives.
Alan
06-Jan-2010
I just got a brand new laptop, and at first used the fancy drive encryption that I thought would keep prying eyes off my data. The only problem is it was so INTRUSIVE, and became a pain in the toucas, that I finally turned it off; so much for good tools but not wanting (or liking) to use them.
How “solid” is your GMail password? Do you have it written down anywhere (digital or paper)? Do you have GMail password recovery turned on? Are the hints easy to guess? Are you using HTTP or HTTPS to access your GMail (if HTTP your Password and email can be intercepted when you are reading it)?
The only way you can be sure that your files are unreadable at GMail is if they are encrypted. Which gets you back to encrypting your HD. Make sure to encrypt the whole HD, not just files, folders or partitions.
@Tom R
Absolutely WRONG. The world’s best super computers can crack AES in a couple of days. You and I don’t need to worry about that because they are mostly used by scientists for research or government agencies to process certain data. However, for the average Joe Bloggs on the street with a Quad-Core 2.6 Ghz it will indeed take not only years, but decades to crack the encryption. Also, AES is strongest when the longest possible password is used, which would mean a 256 character password. Most people’s password’s are probably less than 64 characters and therefore, there is a reduction in the strength offered by the encryption.
I think that is a little overkill. If someone did that the user would notice that the PC had been hacked because it would no longer be logged in to his account when he arrives to his PC…
I think that for a normal working situation, like an office or college locking your PC with a good password is safe enough. I believe there is no way to get into someones account (without knowing his pwd or an admin pwd) and leave it un-noticeable…
07-Jan-2010
Just wanted to add a little note concerning Gmail. As of January, 2010 Gmail is sent via HTTPS: (encrypted) as opposed to HTTP: that was previously used.
Additional information for Tom R. (and others!):
1. TrueCrypt doesn’t “just” use AES. It can be configured (if desired) to use THREE ciphers in series — AES, Twofish, and Serpent — either in that order, or in the reverse order. Other combinations of these are also possible.
2. Leo is correct about using a passphrase, rather than a password. Ideally, your passphrase should have these eight (8) characteristics:
1. Uppercase letters.
2. Lowercase letters.
3. Numbers.
4. Punctuation (e.g., “,:;-?! and so forth).
5. Symbols (e.g., @#$&*+ and so forth).
6. Spaces (use your spacebar!).
7. Respelling (no word anywhere in your passphrase should be findable in any dictionary — say “kwean”, not “queen”!).
8. A long length (15 characters or longer, and the longer the better).
Hope this helps!
re:
“I think that for a normal working situation, like an office or college locking your PC with a good password is safe enough. I believe there is no way to get into someones account (without knowing his pwd or an admin pwd) and leave it un-noticeable…”
_ _ _ _ _ _ _ _ _
I had a laugh with one of the admin. assistants at one of the bosses where I work,
it seems that all the PC’s on the domain are accessible by me from my work station as long as they are turned on and connected to the network,
if I browse “my network places”
find the machine I want to look at
then use the administrative share for the root of the system drive of said machine,
I can look at any & everything on the machine, including their “Documents” folder, “Desktop”, “Temporary Internet Files” etc.
I dropped a text file onto one of the bosses Desktop:
HiBoss.txt
It seems that internal network security is as necessary as physical security of the machine
I don’t believe anyone here has set their “my documents” folder to Private as they’ve all been redirected to the server for the nightly backups
as well as that’s the primary share point for sharing files
so I haven’t had the opportunity to attempt to access a “Private” “My Documents” using this method of “administrative access”.
password protect the bios
disable booting from anything but the volume you should be booting from
Still not as good as physically securing the machine, but better…
get a fingerprint reader and use this to access your computer. it works in conjunction with a password, so make sure you have a very strong password – there are programs available which can randomly generate a password for you.