The 4 most important steps.
It takes much more than a strong password. In fact, it takes at least a couple passwords, plus some settings, plus some encryption on top of it all.
Given that laptops are so easily lost and/or stolen, let’s walk through the steps I recommend to protect the valuable data you have stored on it.
Become a Patron of Ask Leo! and go ad-free!
Protecting laptop data
- Lock your UEFI/BIOS with a password to prevent unauthorized people from booting the machine or making changes.
- Lock your hard disk with whole-disk encryption to prevent data access, even if the drive is physically removed.
- Secure your login with a strong password to prevent the exposure of data.
- Lock your machine with a physical lock to prevent someone from stealing it and attempting to break in at their leisure.
1. Lock your UEFI1
If your computer’s UEFI supports it, configure it to require a password to be able to boot. This prevents strangers from even starting your machine, much less accessing what’s on it directly.
Exactly how you do it will vary depending on the make and model of your computer. Not all UEFI interfaces are the same, and not all support the same set of features. Check with your computer’s manufacturer for specifics. DO NOT forget the password.
This will not only prevent someone from accessing what’s on the machine but will also prevent them from making changes to the machine. For example, with a BIOS password set, they should not be able to change the boot order and boot from anything other than the settings you’ve chosen.
While you’re at it, turn on Secure Boot, if it’s not already on. This restricts the computer from booting into untrusted operating systems or installing unauthorized UEFI replacements. Caution: turning Secure Boot on or off may change how your system boots, and render the operating system inaccessible. If this happens, simply revert the change and the machine should return to normal. Consider setting Secure Boot prior to your next operating system installation if this happens.
2. Lock your hard disk
This is the single most important step on this list. By “lock your hard disk”, I mean use whole-disk encryption. This can take any of several forms:
- Windows BitLocker, if your edition of Windows supports it.2 Make absolutely certain to back up the encryption key when offered.
- VeraCrypt whole-disk encryption. As it is passphrase-based, do not lose or forget the passphrase.
- A hard disk encrypted at the hardware level. This manifests much like a UEFI password: you must specify a passphrase prior to being able to boot from the drive. Once again, do not lose the passphrase.
Encryption is the ultimate protection for your data. Even when all else fails and a hacker or thief makes off with the hard drive from your machine, they still won’t be able to access the data on it without knowing the passphrase or encryption key.
Neither will you, should you ever lose the key or forget the passphrase … so don’t.
3. Lock your login
You should have a strong password for your computer’s login, particularly if you use a Microsoft account. Unlike a local machine account, your Microsoft account is also accessible — and therefore vulnerable — online.
Using additional login methods — like a PIN or facial recognition — is something I discourage for mobile computers with sensitive data. They represent additional places hackers can poke and prod. Guessing your strong password is unlikely, but a short PIN can easily be exposed in other ways. It concerns me that a good photo might squeak by facial recognition tools, so I’d avoid it as well.
Long, strong passwords remain the best protection.
While you’re at it, make sure there are no additional login accounts enabled on your machine. If the normally hidden account called “administrator” is enabled, disable it (assuming your normal login account is administrator capable).
4. Lock your machine
When traveling, a friend of mine never leaves his laptop alone without physically locking it to something else in the room, like a table.
Most laptops have a slot for what’s called a “Kensington Lock”. It’s a standard design to securely tether mobile devices in place.
Even with all the precautions already taken — UEFI passwords, encrypted disks, and secured accounts — it’s still important to make sure the laptop itself can’t be stolen.
As I’ve said many times, if it’s not physically secure, it’s not secure.
A story from the trenches
Much of the above came to mind when a friend handed me a laptop and asked me to see if I could make it usable again. It had been part of a corporate network that they no longer had access to, so they could not sign in. They just wanted to be able to use the machine for themselves, and didn’t really care about what was on it; any photos could be restored from copies on their mobile phone.
I discovered the machine’s hard disk had been encrypted using BitLocker, and of course we did not have access to the corporate encryption key. The result? The data on the machine was completely inaccessible. I was able to back up the hard disk, but the encryption remains in place. I’m not sure the backup will ever be useful, other than to restore the machine to the state it was in when I got it.
On the other hand, without needing a UEFI password, I was easily able to change the boot order and boot from a Windows 10 setup drive. This allowed me to install Windows 10 from scratch and erase everything on the drive, encrypted or not.
I hate to harp on it, but …
Much of what I’ve described above relies on an encryption key, passphrase, or strong password.
Do not lose them. If you do, you will be the one locked out, and everything on your machine may be rendered inaccessible. That’s the whole point of this type of security.
There are no back doors.
I mention this — again — because of the fairly constant stream of questions from folks wanting to get into accounts or devices for which they’ve lost their passwords, passphrases, or encryption keys.