The 4 most important steps.
It takes much more than a strong password. In fact, it takes at least a couple passwords, plus some settings, plus some encryption on top of it all.
Given that laptops are so easily lost and/or stolen, let’s walk through the four steps I recommend to protect the valuable data you have stored on it.
Become a Patron of Ask Leo! and go ad-free!
Protecting laptop data
- Lock your UEFI/BIOS with a password to prevent unauthorized people from booting the machine or making changes.
- Lock your hard disk with whole-disk encryption to prevent data access, even if the drive is physically removed.
- Secure your login with a strong password to prevent the exposure of data.
- Lock your machine with a physical lock to prevent someone from stealing it and attempting to break in at their leisure.
1. Lock your UEFI1
If your computer’s UEFI supports it, configure it to require a password to be able to boot. This prevents strangers from even starting your machine, much less accessing what’s on it directly.
Exactly how you do it will vary depending on the make and model of your computer. Not all UEFI interfaces are the same, and not all support the same set of features. Check with your computer’s manufacturer for specifics. If you’re able to set one, do not forget the password.
This will not only prevent someone from accessing what’s on the machine but will also prevent them from making changes to the machine. For example, with a BIOS password set, they should not be able to change the boot order and boot from anything other than the settings you’ve chosen.
While you’re at it, turn on Secure Boot, if it’s not already on. This restricts the computer from booting into untrusted operating systems or installing unauthorized UEFI replacements. Caution: turning Secure Boot on or off may change how your system boots and render the operating system inaccessible. If this happens, simply revert the change and the machine should return to normal. Consider setting Secure Boot prior to your next operating system installation if this happens.
2. Lock your hard disk
This is the single most important step on this list. By “lock your hard disk”, I mean use whole-disk encryption. This can take any of several forms:
- Windows BitLocker, if your edition of Windows supports it.2 Make absolutely certain to back up the encryption key when offered.
- VeraCrypt whole-disk encryption. As it is passphrase-based, do not lose or forget the passphrase.
- A hard disk encrypted at the hardware level. This manifests much like a UEFI password: you must specify a passphrase prior to being able to boot from the drive. Once again, do not lose the passphrase.
Encryption is the ultimate protection for your data. Even when all else fails and a hacker or thief makes off with the hard drive from your machine, they still won’t be able to access the data on it without knowing the passphrase or encryption key.
Neither will you, should you ever lose the key or forget the passphrase… so don’t.
3. Lock your login
You should have a strong password for your computer’s login, particularly if you use a Microsoft account. Unlike a local machine account, your Microsoft account is also accessible — and therefore vulnerable — online.
Using additional login methods — like a PIN or facial recognition — is something I discourage for mobile computers with sensitive data. They represent additional places hackers can poke and prod. Guessing your strong password is unlikely, but a short PIN can easily be exposed in other ways. It concerns me that a good photo might squeak by facial recognition tools, so I’d avoid it as well.
Long, strong passwords remain the best protection.
While you’re at it, make sure there are no additional login accounts enabled on your machine. If the normally hidden account called “administrator” is enabled, disable it (assuming your normal login account is administrator capable).
4. Lock your machine
When traveling, a friend of mine never leaves his laptop alone without physically locking it to something else in the room, like a table.
Most laptops have a slot for what’s called a Kensington lock. It’s a standard design to securely tether mobile devices in place.
Even with all the precautions already taken — UEFI passwords, encrypted disks, and secured accounts — it’s still important to make sure the laptop itself can’t be stolen.
As I’ve said many times, if it’s not physically secure, it’s not secure.
A story from the trenches
Much of the above came to mind when a friend handed me a laptop and asked me to see if I could make it usable again. It had been part of a corporate network that they no longer had access to, so they could not sign in. They just wanted to be able to use the machine for themselves, and didn’t really care about what was on it; any photos could be restored from copies on their mobile phone.
I discovered the machine’s hard disk had been encrypted using BitLocker, and of course we did not have access to the corporate encryption key. The result? The data on the machine was completely inaccessible. I was able to back up the hard disk, but the encryption remains in place. I’m not sure the backup will ever be useful, other than to restore the machine to the state it was in when I got it.
On the other hand, without needing a UEFI password, I was easily able to change the boot order and boot from a Windows 10 setup drive. This allowed me to install Windows 10 from scratch and erase everything on the drive, encrypted or not.
I hate to harp on it, but…
Much of what I’ve described above relies on an encryption key, passphrase, or strong password.
Do not lose them. If you do, you will be the one locked out, and everything on your machine may be rendered inaccessible. That’s the whole point of this type of security.
There are no back doors.
I mention this — again — because of the fairly constant stream of questions from folks wanting to get into accounts or devices for which they’ve lost their passwords, passphrases, or encryption keys.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Leo,
I don’t know about all laptops, but I have a Dell and a HP that I set BIOS passwords on. These two manufacturers allow for 2 BIOS passwords, a system password that is needed to make changes to BIOS/UEFI settings and a second one that allows the computer to start, similar to Admin and User accounts in Windows.
I bought the Dell laptop a few months ago and after setting the BIOS password, became irritated that even though I made the setting change to allow bypassing the the password on restart, the system still asked for it. When I decided to clear the password, I discovered I couldn’t.
I took the computer to where I bought it to get an idea of what the problem was. The technician’s response to the words “BIOS password” emphasized your admonition to not forget forget these passwords. After reassuring him that I hadn’t forgotten it, he visibly relaxed.
Turned out that I had to wait for Dell to come out with a BIOS update to correct the problem.
I got into the habit of doing exactly what you’ve recommended a few years ago. Losing one of my laptops would be irritating but, if they weren’t protected, their loss would be devastating. I can always restore from a backup.
Last February I bought a new Medion notebook.
I got w/ its win10 installer already corrupted,
a card reader broken & the mouse has to be
replaced by an extern one.
Lately, it plays havoc all the time:
flat-stops working or move on its own.
HINT: unable to connect to my Microsoft acc to
get their Live Agent assistance either! Still
having my access to twitter during last weekend &
asking them for their assistance provided a radio
silence only. They work only on business days.
Long story short: after zillion of tentatives
to fix it on my own, right now I’m completely
locked out by a **Super Administrator Account**.
It requires its password for anything now!
And this is the worse problem for me right away.
Booting in safe mode is blocked by the same pass!
I do work from home yet lost every access to my patients!
This occurred after I downloaded & installed
their authentic Media Tool from Microsoft site last week.
It was hacked or so as after its installation,
I **lost my ownership** for now.
Yes, I can only use a password-free secondary account
& Chrome browser while knowing every chromium-based
browser got hacked a long ago. Phew.
No, I can access neither my email nor social media acc. today.
This would be dangerous anyway, eh?
No chance to open my register, settings & even less the
“Properties”. There instantly pops up the requirement for
the pass of that damned **Super Administrator Account**!
My Internet is also fully controlled by hackers.
Contacting my provider last Saturday had lead to
losing of WLAN connection w/ its the 1GB/s bandwidth!
The only WIFI works somehow but is slow like
molasses in January, ugh. And I hate this!
Even worse, my two SIMs from the same provider also
are fully controlled by hackers, including the
Apple Store AND ApplePay…
Despite sounding like a genuine catastrophe,
I need help asap, PLEASE.
Blessings & stay safe out there!
PS: posting as a guest as no access to email right now
to confirm my inscription. TY for your comprehension.
Isn’t it still under warranty? As far as I know, computers sold in Europe have a 2 year warantee.
Sad story sounds like either the computer purchased is a total lemon & he needs to take it back to whoever supplied it and have an argument about the warranty, or the machine has being infected with malware that has locked it down…
Passwords that we use everyday, even difficult ones, we can generally remember.
Passwords that are used infrequently are the ones that we’re more likely to forget.
This is clearly where a password manager is essential.
You also need an alternative way of accessing the password manager. Does not help if your bios password, user login or Wi-Fi password are in a password manager if you can’t get into the PC or onto the internet to access the password manager.
In addition to securing critical data, think about a recovery plan if you are disabled (stroke, coma) or dead & someone else has a legitimate need to access the data.
I’m pretty paranoid / take security seriously but I’ve never been brave enough to install a password to protect the BIOS.
Need to rethink this one…
If you use whole-disk encryption, you may not need to password protect the BIOS because there’s no way anybody can access anything on your computer. A BIOS password can render the computer useless to anyone who steals it but they would still be able to take the HDD out and access any unencrypted files. Be careful with backups, though. A system image backup should also be encrypted.
I don’t password protect my BIOS either. But it’s an important level of additional security for some situations. (Just not mine. )
Further consideration:
If you have shared critical files (file share, Dropbox, GoogleDrive, OneDrive) you need to have an agreement on security with the person who is sharing those files.
I’m particularly sensitive about those shares done via e-mail where the system says “these files will be available to anyone who has this link”.
Yes. If the files are sensitive, password protect the files and share the password by another medium such as a phone call. Zip encryption is the simplest and is very good for that.
The emphasis in this article is on loss of a computer by theft, rather than loss of data. However, the two are not always exclusive. I will demonstrate that.
I have all of my data under my administrator-privileged account in a single DropBox folder. I never leave any actual data in system folders such as “Pictures”, “Music”, etc., including “Desktop”. Anything of value on my Desktop is a link to a file or folder to one in DropBox . In addition, all of my sensitive data are in encrypted VeraCrypt volumes which generally exclude folders of photos, music, and videos. I do daily incremental backups on my primary computer, so it would be difficult to permanently lose any data. Given this setup, one would think that I have no worries about data loss.
If a thief were to acquire my laptop, and be able to log in, he would have immediate access to my data since all of it is on DropBox . Granted, my sensitive data are in encrypted folders, but they are still vulnerable to deletion. Using my primary computer I would never be sure when or if the thief would delete all or part of the contents of my DropBox . Sure, I could restore it from the backup, but at some point I would not really know which of my backups are still intact since the loss of the laptop. I could solve the problem by creating a new DropBox ID and then copy all of my data into that. But even that would not be 100 percent sure that my data is intact.
So, if I have a laptop that can be lost or stolen, I would definitely choose to encrypt the drive, so the thief would not have access to delete any data.
I have a comment and maybe a question about the loss of the encrypted drive’s passphrase. I have created a recovery disk using both the Windows version and one made by Macrium Reflect. If I had encrypted my laptop’s hard drive and forgot the passphrase, I could restore it using one of these. I have not tried this yet, so I am not really sure. Any comments?
In theory, yes. At least with Macrium you’re backing up the unencrypted data (Macrium doesn’t know that whole drive encryption is at play — like any other app it sees unencrypted data).
I disagree about Windows userids. My preference is to use a restricted userid all the time with a second admin userid at the ready. Hopefully the restricted userid prevents malware from running at system startup ALL the time. It can run at startup of the restricted user but should not be able to run when the admin user logs on.
Even ignoring that, every breaks, including Windows userids, so having two just seems the prudent thing to do.
I have an old Compaq laptop that I bought in 2010. It came with Windows 7, but when it was offered free by Microsoft I upgraded to Windows 10. It creeps along under the weight of this monster OS. It has 3GB RAM, 218GB hard drive and a dual 2.1GHZ AMD processor. Not exactly a super computer by today’s standards. I use it for experimenting. Encrypting the drive is such an experiment.
I first made a backup image using a free version of Macrium Reflect and a Reflect rescue CD. Then I started the encryption process with VeraCrypt and recorded the steps on my desktop computer. Encrypting the entire main drive is a little more involved than creating an ordinary encrypted volume. It works flawlessly, but I don’t recommend it to those faint of heart. The encryption of the drive took 3 hours and 23 minutes. After completion I rebooted the laptop. It came up with a DOS like screen where I had to enter the password. After that it did some verification and the Windows 10 login page came up as usual.
There was one odd thing. The steps of encryption took me through the creation of a VeraCrypt rescue disc which produced an .iso file that was then burned onto a CD. So far so good. When it was over I wanted to see the contents of the CD, but it was not recognized by my desktop computer. In the laptop it was recognized, but did not show anything on the CD. Now I wonder if this rescue CD will be of any help if or when I need to use it.
Since you are using whole disk encryption, you can safely set Windows to login automatically without a password and save some time.
I have a 2010 Sony Vaio. I upgraded to 8GB Ram and put in a 256GB SSD. It runs Windows 10 very smoothly and feels like a modern computer. From my experience RAM and an SSD can do wonders to rejuvenate an old machine. Before SSDs became popular and cheap enough, I upgraded a 10 year old laptop with 16GB RAM and a new medium speed GPU (graphics card). It also lasted a few more years.