I have nothing on my machine that is personal, revealing, or that I would be
particularly concerned for anyone else knowing. Is there a valid, serious
reason to use a password? My machine is live and open to the internet 24/7. Am
I putting myself or my data in any jeopardy?
There are two issues that factor into this.
One: how likely it is that someone will access your machine in a way that a
password would have stopped them.
Two: how much personal information is really on the machine, and whether
you’d care if it were stolen or made public.
Only one of those two is really under your control, and even then, only if
you’ve really thought it through.
Become a Patron of Ask Leo! and go ad-free!
There’s more on your machine than you think
I believe that if you took a close inventory of everything on your machine –
everything from your browsing history to the emails you send and receive to the
programs you run to the documents you open and the pictures you view – you’d be
surprised at how much information about you is on your machine.
Think about it.
It’s possible that remnants of everything you’ve ever used that
computer for are present and available to someone who knows where to look.
I’m not talking about malicious software, I’m just talking the information
that accumulates or remains when using the computer normally. Things like
deleted files, document and web history, the browser cache, and system and software
logs are all potential sources of information that may be present on your
computer as a side effect of simple, everyday use.
And then, of course, there are your files: everything from emails to
documents to photographs to whatever else you have there.
I’m guessing that there’s something on your computer that would
make you at least uncomfortable if made public or stolen.
We’re not that interesting, but…
One of my common statements to people concerned about tracking is “You’re
just not that interesting.”
By that, I mean that the chances that some person or some industry is
tracking or targeting you specifically is incredibly low; so low
that in most cases, it’s not worth worrying about.
But that doesn’t mean you can stop worrying completely.
Malware doesn’t target you specifically … it targets anyone who’s
Identity thieves don’t target you specifically … they’ll happily take the
identity of anyone that they can.
Burglars don’t target you specifically … they’ll break into and steal
from anyone, from whichever home or resource they find
You still want to make sure that the “anyone” isn’t you.
No matter how uninteresting you may be.
The under-estimated risk: impersonation
In my opinion, the real risk that most people neglect to think about is
It’s easy to think about the files that you keep on your folder and not
really care about documents or photos getting into the hands of a stranger. And
that’s often a pretty fair assessment, as it really does come back to the fact
that in general, we’re just not that interesting as individuals and we do (for
the most part) have a sense for the relative risks associated with what we
It’s all that other information that I mentioned above that we might not realize
is being kept that makes things less obvious.
For example, it might be possible to login to one of your online accounts
as you with information scavenged from your computer.
That’s a whole different scenario. Now, someone can pretend to be you and
start scamming your friends and contacts (information also scavenged from your
machine or from the online accounts that they’re able to access).
Or worse, you could become a victim of identity theft.
What you do control
You don’t control the information that’s stored on your machine as you use
it (at least not in any absolute sense) and certainly not in any simple or
However you can control access to the machine.
There are several ways:
Physical Access: This is one that a lot of people take for
granted, until their computer is stolen. Most of us believe that our computers
at home are fairly physically secure and immune from random people walking up
and using the machine. That’s often fairly true, but also often not absolute –
especially in the face of burglary. Another of my frequent statements is “If
it’s not physically secure, it’s not secure”.
Remote Access: By and large, most machine’s default
configuration disables remote access and most remote access solutions require some kind of password, but these are something important to at least consider if used.
Malicious Access: Malware is something we control to a
point. By that, I mean that it’s something that we, by virtue of understanding
stay safe on the internet, control through the use of appropriate
counter-measures, such as firewalls and anti-malware software, as well as our
The degree to which you feel comfortable not password-protecting your
machine should be a function of how well you’ve protected yourself from those
scenarios in other ways.
Machine passwords are not absolute, by any means. Anyone with physical
access and a little bit of knowledge can
reset the administrator password on a Windows machine. Once it reaches your machine, malware is often (although not always) past the point of needing a
But a password on your Windows machine can provide an important roadblock
keeping many intruders at bay.
What I do
My desktop machine has no password. Reboot and it logs in as me.
Now, before you go calling me a hypocrite, I will point out that this was not
a decision made lightly. I have considered all the ramifications for
the access scenarios that I’ve listed above.
Physical: While I suppose that I’m at some risk for burglary like anyone
(although the dogs and the alarm system may have something to say about that
very few people wander through my home and fewer still my office.
Remote: I do run Remote Access software and have taken steps to ensure that
not only is my firewall set up properly, but the Remote Access software itself
is set securely and requires a password to actually grant access.
Malicious: Given how often I write about it and think about it, I’m almost
required to be the “poster boy” for staying safe online. Anti-malware tools
running and good online behavior is the order of the day.
There’s one additional step that I’ve taken that adds a layer of security to my
Reboot my machine and the vast majority of what I consider my important data
is still not accessible. In order to access the most sensitive data, a thief
would need to enter not just a password, but a pass phrase.
Finally, my laptop – the machine I actually take with me when I travel and
stand the highest probability of losing – is password protected.
And TrueCrypt protected as well.
If the risk of theft is high and particularly if the cost of theft
is high, you might consider something similar or go even further with
whole-disk encryption and/ora BIOS password.