Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

If I have nothing to hide, do I still need a Windows password?

Question:

I have nothing on my machine that is personal, revealing, or that I would be
particularly concerned for anyone else knowing. Is there a valid, serious
reason to use a password? My machine is live and open to the internet 24/7. Am
I putting myself or my data in any jeopardy?

Possibly, maybe.

There are two issues that factor into this.

One: how likely it is that someone will access your machine in a way that a
password would have stopped them.

Two: how much personal information is really on the machine, and whether
you’d care if it were stolen or made public.

Only one of those two is really under your control, and even then, only if
you’ve really thought it through.

Become a Patron of Ask Leo! and go ad-free!

There’s more on your machine than you think

I believe that if you took a close inventory of everything on your machine –
everything from your browsing history to the emails you send and receive to the
programs you run to the documents you open and the pictures you view – you’d be
surprised at how much information about you is on your machine.

“It’s possible that remnants of everything you’ve ever used that computer for are present and available to someone who knows where to look.”

Think about it.

It’s possible that remnants of everything you’ve ever used that
computer for are present and available to someone who knows where to look.

I’m not talking about malicious software, I’m just talking the information
that accumulates or remains when using the computer normally. Things like
deleted files, document and web history, the browser cache, and system and software
logs are all potential sources of information that may be present on your
computer as a side effect of simple, everyday use.

And then, of course, there are your files: everything from emails to
documents to photographs to whatever else you have there.

I’m guessing that there’s something on your computer that would
make you at least uncomfortable if made public or stolen.

We’re not that interesting, but…

One of my common statements to people concerned about tracking is “You’re
just not that interesting.”

By that, I mean that the chances that some person or some industry is
tracking or targeting you specifically is incredibly low; so low
that in most cases, it’s not worth worrying about.

But that doesn’t mean you can stop worrying completely.

  • Malware doesn’t target you specifically … it targets anyone who’s
    not protected.

  • Identity thieves don’t target you specifically … they’ll happily take the
    identity of anyone that they can.

  • Burglars don’t target you specifically … they’ll break into and steal
    from anyone, from whichever home or resource they find
    unprotected.

You still want to make sure that the “anyone” isn’t you.

No matter how uninteresting you may be.

The under-estimated risk: impersonation

In my opinion, the real risk that most people neglect to think about is
impersonation.

It’s easy to think about the files that you keep on your folder and not
really care about documents or photos getting into the hands of a stranger. And
that’s often a pretty fair assessment, as it really does come back to the fact
that in general, we’re just not that interesting as individuals and we do (for
the most part) have a sense for the relative risks associated with what we
have.

It’s all that other information that I mentioned above that we might not realize
is being kept that makes things less obvious.

For example, it might be possible to login to one of your online accounts
as you with information scavenged from your computer.

That’s a whole different scenario. Now, someone can pretend to be you and
start scamming your friends and contacts (information also scavenged from your
machine or from the online accounts that they’re able to access).

Or worse, you could become a victim of identity theft.

What you do control

You don’t control the information that’s stored on your machine as you use
it (at least not in any absolute sense) and certainly not in any simple or
easy-to-adjust sense.

However you can control access to the machine.

There are several ways:

  • Physical Access: This is one that a lot of people take for
    granted, until their computer is stolen. Most of us believe that our computers
    at home are fairly physically secure and immune from random people walking up
    and using the machine. That’s often fairly true, but also often not absolute –
    especially in the face of burglary. Another of my frequent statements is “If
    it’s not physically secure, it’s not secure”.

  • Remote Access: By and large, most machine’s default
    configuration disables remote access and most remote access solutions require some kind of password, but these are something important to at least consider if used.

  • Malicious Access: Malware is something we control to a
    point. By that, I mean that it’s something that we, by virtue of understanding
    how to
    stay safe on the internet
    , control through the use of appropriate
    counter-measures, such as firewalls and anti-malware software, as well as our
    own behavior.

The degree to which you feel comfortable not password-protecting your
machine should be a function of how well you’ve protected yourself from those
scenarios in other ways.

Machine passwords are not absolute, by any means. Anyone with physical
access and a little bit of knowledge can
reset the administrator password
on a Windows machine. Once it reaches your machine, malware is often (although not always) past the point of needing a
password.

But a password on your Windows machine can provide an important roadblock
keeping many intruders at bay.

What I do

My desktop machine has no password. Reboot and it logs in as me.

Now, before you go calling me a hypocrite, I will point out that this was not
a decision made lightly. I have considered all the ramifications for
the access scenarios that I’ve listed above.

  • Physical: While I suppose that I’m at some risk for burglary like anyone
    (although the dogs and the alarm system may have something to say about that
    Smile),
    very few people wander through my home and fewer still my office.

  • Remote: I do run Remote Access software and have taken steps to ensure that
    not only is my firewall set up properly, but the Remote Access software itself
    is set securely and requires a password to actually grant access.

  • Malicious: Given how often I write about it and think about it, I’m almost
    required to be the “poster boy” for staying safe online. Anti-malware tools
    running and good online behavior is the order of the day.

There’s one additional step that I’ve taken that adds a layer of security to my
setup.


TrueCrypt

Reboot my machine and the vast majority of what I consider my important data
is still not accessible. In order to access the most sensitive data, a thief
would need to enter not just a password, but a pass phrase.

Finally, my laptop – the machine I actually take with me when I travel and
stand the highest probability of losing – is password protected.

And TrueCrypt protected as well.

If the risk of theft is high and particularly if the cost of theft
is high, you might consider something similar or go even further with
whole-disk encryption and/ora BIOS password.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

10 comments on “If I have nothing to hide, do I still need a Windows password?”

  1. When I first jumped from Millennium Windows with no access to the Internet to a Windows 7 and a router allowing Internet access, I had a quantum leap to go in terms of thinking about the security of my documents. Like the author of the article, I have “nothing to hide.” My wakeup call came with discovering the “Index” feature in Windows 7. In My Documents and Windows Explorer, there’s a small white search slit in the upper right corner of the screen. All I see written on there now is “Searc.” The idea is that if you forget where a file is located, you try to remember a word or phrase from what you once gave it as a filename, or a word or phrase that you think is in the document itself and key it into the slit. Any hackers using this feature on your machine remotely or having stolen your computer can key in things like “taxes” or “bank” or “Social Security,” or “Letters,” “Addresses,” etc. In each case every filename and every document that contains the word will instantly come up on the screen. In List View, I look through the list, generally find the document, and click on the filename to open it up. So can the hackers. Suppose they go to “Letters” and you have a template letterhead that includes your name and address that is thus plastered on every letter you wrote, unless you erased it before a final save. You just gave the identity thieves that information. The indexing feature is a wonderful tool in your hands but not in those of the net crooks. Suppose you had a letter explaining the dates of your upcoming trip. This is a nice tipoff to a thief who might come to your home while you are away. I’m much more careful today about naming folders although I’m not changing words in documents themselves. If I were you, I’d get a good 12 or more character password. The Leo Archives has plenty on this subject. Do everything you can to stay out of the attention of the bad guys. Yes, it is a lot easier to turn on your computer and have it instantly ready to go, but besides other passwords I use, I make sure I have a password that I require of myself to get into my machine after it has been turned on. Sometimes “friends” and co-workers can operate your computer when you are in another room or gone for a few hours. Some people are just nosy. Others do it with evil intent. In any case, passwords would have stopped them. Otherwise, you leave yourself wide open to potentially nasty repercussions.

    Reply
  2. The biggest concern, IMHO, hasn’t been mentioned. If your system is connected to the Internet and is easy to get into, the possibility exists that someone may try to use it remotely for their own purposes (i.e., make it part of a “bot net” – check out the definition on Wikipedia).

    Unknown to you, your machine could be used to host phishing sites, send spam, be set up for use for drive-bys, participate in a DDoS (distributed denial of service attack) – the list is endless.

    Now usually the guys with black hats tend to go for the higher traffic systems such as high end servers used to host websites, ftp sites and so on, but ordinary PCs will serve just as well, especially when used in conjunction with tens of thousands of other compromised machines just like your humble and unassuming home computer.

    The harder it is to get into your system, the better – even if it causes you some inconvenience.

    Reply
  3. Surely the answer is that some users do need a strong Windows login password and others perhaps none at all.
    Myself, although Laptop is usually in my bedroom do keep a short simple one on at all times. But when I travel do change it to a longer and far more complicated one.
    In general do feel that many users think that the Windows login password does give their comp. some magical protection, and I suppose in some ways it does, as it would normally be a human who would be trying to break it. But do feel that they should put more effort into their Internet passwords.
    Only other point that comes to mind is that although I am aware of how to reset Windows login Password (Thanks to your good self), this is not all that easy for the normal user (Indeed most have no idea it can be done), ergo most should have a reasonably strong password set up and that this should be changed reasonable often, certainly on every occasion the password is revealed (for whatever reason) to someone else.

    Reply
  4. Did I miss something – what about possible links to monetary info and the user’s contact list? If not used for email – what is the machine being used for?

    Reply
  5. Don’t you need a Windows password if you intend on using certain features such as scheduling tasks in the Task Manager? Seems to me that I had to add a password to my account in order to create scheduled Windows tasks?

    That’s correct. Remote Desktop comes to mind as another feature that requires you have an account password. Many people configure their machines to login automatically even when it has a password, though, raising many of the same issues as the article.

    Leo
    18-Nov-2012
    Reply
  6. Like Leo, I don’t bother with a password (except when going away), but then I live alone and so no-one can access my computer without stealing it. If it were stolen, I would have to treat the data as compromised even if it were protected, as a password can be cracked or circumvented fairly easily.

    If you do use a password, make sure you don’t lose it, as the cracking procedure, particularly on Windows 7, does the operating system no good at all: having helped out a friend once, I know!

    Reply
  7. People do not think about the possibilities of identity theft! I was also naively believing in this ‘I don’t have anything worthwhile to protect/hide theory’. Normal people always think on simple and direct possibilities. But, criminals go deep and dig out all possibilities. While we have no interest in immoral activities, they don’t have any qualms in doing them.

    A stolen identity can be used for spam and scam. It can also be used as unintended agent of money laundering, messaging, who knows even for terrorist activities.

    Put it simply, we are careless in anything because of two things. We don’t know the possibilities, and even if we get to know them , we believe that it won’t happen to us!

    Reply
  8. What about Android Tablets? Is there a way to password protect them? I know that’s way off topic but I’m curious and concerned.

    Reply
  9. @Elwood
    I have my Android phone password protected. I consider that more important than protecting my computer because it’s much easier to be lost or stolen. Unfortunately, I don’t know how secure this password protection is.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.