Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What Can a Computer Thief See If I Password Protect My Windows Sign-in?

Thieves can see more than you might think unless you’ve taken additional steps.

Locked Computer

Password-protecting your Windows login does not protect your computer's data, particularly if the computer is stolen.
Question: My mid-tower computer was recently stolen in a burglary. The Windows system was password-protected at start-up. What files can be accessed by those trying to enter the system?

It takes a computer-savvy thief less than five minutes to gain access to everything on your computer.

Yep. Everything.

Everything you haven’t otherwise protected, that is.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

If your computer is not physically secure, it’s not secure. A thief can access data on your hard drive in several ways, removing it if needed. Besides physically securing the computer itself, encryption (of either entire drives, partitions, or individual files) protects its contents. BitLocker, VeraCrypt, and BoxCryptor are useful tools to protect information stored on your hard disk.

Physical security

There’s a fundamental concept that I remind people of from time to time. It’s simply this:

If it’s not physically secure, it’s not secure.

I bring that up in response to questions about sharing a computer or living space. People are sometimes concerned about what a roommate might or might not have access to when they’re not around. Most commonly, it applies to laptops and mobile devices.

The short version is that if someone has physical access to your computer, they can quickly access everything on it.

Of course, computer theft is the very definition of physical access.

Gaining access

There are several ways someone can access your computer’s contents:

  • They can reboot from a CD or USB thumb drive and reset the administrative log-in password. Here are the instructions:  I’ve Lost the Password to My Windows Administrator Account, How Do I Get It Back? The newer UEFISecure Boot” prevents this, if enabled.
  • They can reboot from a Linux live CD or thumb drive and access the contents of your hard drive without needing to log in to Windows at all. Again, “Secure Boot”, when enabled, is intended to prevent this.
  • They can remove the hard disk from your machine, connect it to another, and once again access the contents of your hard disk without needing to use the rest of your machine at all.

All that should be pretty scary, mostly because it is.

If it’s not physically secure, it’s not secure.

Keeping your data secure

So what do you do?

In your case, it’s too late. The computer has already been stolen. What’s important is knowing the data could be accessed by whoever has the machine. If you have confidential information on it, assume it’s been compromised. It may not be. It may not be yet. It may never be. But you must assume the worst.

There are three approaches to keeping your data secure.

  • Secure the machine.
  • Encrypt the hard drive.
  • Secure your data on the disk.

Secure the machine

Physically securing your machine includes bolting it down, attaching it to something with a security cable, or putting it in a locked room or cabinet. (Make sure the machine has enough ventilation if you put it in an enclosed space.)

These aren’t perfect solutions, as a very determined thief might still circumvent them, but they’ll at least stop the casual burglar by making it easier to steal something else.

Encrypt the hard drive

Encrypting the entire hard drive using whole-drive encryption protects the contents of your entire system.

With an encrypted hard drive, even moving the hard drive to a different machine doesn’t help a thief, because all they would see is random, nonsensical data.

There are two approaches to whole-drive encryption: system solutions and third-party tools.

System solutions (like BitLocker, for Windows1) use encryption keys based on your system login to encrypt the hard drive. If you can’t log in, then you can’t access your data. If you lose your log-in account for any reason, you can lose access to your data. You are encouraged to back up the encryption key separately, which would restore access.

Third-party tools like VeraCrypt also support whole-drive encryption. This is independent of your system login, and typically relies on selecting an appropriately secure passphrase to decrypt the drive and boot your system.

Important: In both cases, your data is fully secure only if you log out. As long as you are logged in and can access your data yourself, it’s available in unencrypted form. You may want to avoid Sleep and Hibernate, neither of which is an actual logout.

Also important: BIOS or other pre-boot passwords may or may not be a form of protection. Some, but not all, include hard disk encryption. You’ll have to check your system’s documentation to determine that for your specific machine.

Encrypt your data

The good news about whole-drive encryption is that once enabled, it’s pretty transparent. The bad news is losing access to your data can be a tad easier, and depending on the technique, completely encrypted drives can be somewhat less resilient to hardware failures.2

The compromise is to encrypt only parts of what you keep on the machine: your data.

To do that, I’d consider three approaches.

An encrypted partition. Rather than encrypting your entire hard disk, this uses whole-disk encryption tools like BitLocker to encrypt only a separate, non-boot partition on which you keep your data.

An encrypted vault. This uses VeraCrypt to create an encrypted “vault” that, when in use, looks like a separate partition.

An encrypted cloud folder. This uses a tool like BoxCryptor to perform file-by-file encryption of the contents of one or more folders on your machines. While intended to secure data you place in the cloud — you might even already be using it for that purpose — it secures that data on your machine as well. There’s no requirement to use a cloud service to use BoxCryptor to encrypt data.

It’s about more than your desktop

Everything I’ve described applies to more than your home computer. Yes, it could be stolen, but if you travel at all there’s a bigger risk:

Your laptop.

An incredible number of laptops are lost or stolen each year. They all contain data — often sensitive data — the thief or finder can then access. (Thankfully, most do not, as they’re more interested in reusing or reselling the hardware — but the risk of data exposure remains real.)

At a minimum, the techniques I’ve described above should be considered for any laptop or mobile PC. Applying the same techniques to your computers at home gives you added security from the same types of threats.

What I do

What I’ve done has changed over the years.

Originally, I used TrueCrypt to create an encrypted vault on my laptop, and placed all of my data in it. This was convenient for various reasons, mostly involving the ability to move data around on my various devices in pre-cloud days.

Today, I use a multi-pronged approach:

  • I use BoxCryptor to secure the data I place in my DropBox folders. The side effect is that this data is also encrypted on all the computers on which I choose to place it.
  • I use BitLocker whole-disk encryption on my laptop. This includes protecting myself by backing up data regularly and securing the encryption keys appropriately.
  • While I don’t currently, I have also used whole-disk encryption on my desktop.3

I’d also have no hesitation using VeraCrypt, TrueCrypt’s supported successor, if a scenario called for it.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & References

1: Or FileVault on a Mac.

2: Yet another reason to ensure that you’re backing up everything regularly.

3: Honestly, it was an oversight when I set up my current machine. I may turn it on at some point.

32 comments on “What Can a Computer Thief See If I Password Protect My Windows Sign-in?”

  1. I find this password protection akin to that lock on the door of your home. Enough protection against a casual passerby but pick-able to a seasoned burglar. And of course total annoyance to you when you have forgotten the key.

    I totally agree with Leo that encryption is the real protection but would add that do not leave the key on the machine itself. And don’t forget it either. Encryption works better when the key is long and not easily guessable and that includes using difficult but words in a common dictionary. That is a real temptation to leave the key somewhere near by defeating the purpose.

    Goes on to prove that it is not easy to protect your possessions.

    Reply
  2. This is one reason I don’t leave my passwords for online services (like my e-mail account) on my computer. That means I have to type them in when I access those services, but no one would automatically get access just because they stole my computer.

    I have used WinZip to archive things with it’s password, and I’ve had occasion to try to break some of my old, forgotten passwords from those archives. While it is possible to do so, it probably wouldn’t have been possible if I hadn’t had additional knowledge about what was in the archives. So, I guess it gets a mixed review as a protection scheme.

    TrueCrypt sounds like a good option and I’ll have to try it.

    Thanks for the info, Leo!

    Reply
  3. There is a third option, you can install a hard drive drawer (hard drive mobile rack). Envision a drawer in your kitchen. It slides on rails installed in the cabinet. You can remove the drawer from the cabinet and carry it wherever you like. You can slide a different drawer into the cabinet or reinstall the original. You can do the same with your computer. You install the slide rails in an empty bay, install your HD in a removable drawer (insert), and you can remove your HD at will (when the computer is off). Now you can lock your HD, and your encryped data, etc., in your floor safe, or hide it somewhere. Kingwin and others make them; TigerDirect and many others carry them; just google it.

    This has other advantages. You can have a Linux HD, a Vista HD, a Win98 HD, etc. Your spouse can have their own HD, each child can have their own HD, your grandkids can have one. Never again will the grandkids mess up your HD when you let them play games on the computer. They’ll have their own HD to mess up.

    Reply
  4. Identity and password theft is very common those days, bringing loss to individuals and companies. Hackers sit for hours and hours trying to break passwords to log into your private accounts stealing important information such as credit card numbers among others. Now there are sofisticated tools for such tasks making life easier for hackers. It is easy to guard yourself against password and identity theft if you follow some very easy and simple steps.
    To avoid identity and password theft, we should use complex and different passwords for all of our accounts. Then comes the importance of a password manager. Use a safe password manager like EXQUIPASS to remember those complex passwords. Also we should keep in practice changing our passwords every week or every fortnight. For that, we definitely need a password manager. I prefer Exquipass since it is straight forward and secure. Link for this is: http://www.exquisysltd.com/productinfo.php?p=DA01EX
    With a tool like Exquipass, you can leave your password file everywhere, nobody will be able to get your passwords even if it is left on your computer. It strongly encrypts your private data and the best way to protect sensitive is definitely encryption.

    Reply
  5. I find it hard to believe that the admin password can be changed from safe mode? But what if the system setup is password protected and booting from anything other than the HD is disabled?
    My PC was just recently stolen and I’m hoping that having the system setup pword protected, windows admin pword protected, and most of my folders windows encrypted, will at least make it hard enough that they will give up? My understanding is that if they can’t get into setup, then they wont be able to boot from the CD and run anything that will llow them to view files etc???

    They could remove the hard drive and place it into a machine that is not BIOS password protected, and then use a administrator password reset utility to gain administrative access to the contents.

    Leo
    25-Sep-2010

    Reply
  6. Quick followup question: Suppose I have legitimate full disk encryption enabled (one way or another) and I step away from my computer for a moment. The screensaver activates. A thief takes the computer and tries to get past the screensaver password prompt.

    Is the data still safe in this scenario? I’m guessing this is a bit of a stupid question, but it’s because I don’t understand some aspects of individual-file vs. whole disk encryption.

    Thanks!

    Reply
  7. @JBL
    If the thief gets through the screensaver password without turning the computer off, it’s possible that he can access your files depending on the encryption settings.

    Reply
  8. One thing I’d add that you should do after you’ve had your computer stolen: change the passwords to all of your important internet accounts. In most cases, this probably is overkill, but you never know if you have the passwords residing somewhere on your drive.

    Reply
  9. Absolutely everything on my computers are in Dropbox. I realise that this would be accessible once a thief got into my system but if I was able to change the Dropbox password very quickly would this do the job?

    Reply
    • Changing your Dropbox password quickly is definitely something you’d want to do and would prevent others from accessing. That said, most people have local folders synced with Dropbox, meaning the files are both on the laptop/PC *and* Dropbox. If this is your case, then the thief still has access to the files themselves. Unless, as Leo stated, you have your local files encrypted.

      Reply
  10. The chances are just as good that the thief just wants to fence the hardware and stealing your identity etc isn’t as important as wiping it and selling it to somebody cheap where it ends up on Craigslist as a ‘refurbished computer’. Fencing the physical hardware is a lot less risky than going through the trouble involved in extracting your identity vs. just breaking it up for parts sales or wiping, I would stand to bet.

    Think of the jail time for ID theft compared to petty theft (or is it petit? I’m not Perry Mason, although one of my classmates was the chief of police for over 20 years).

    Reply
  11. Chromebook and a good password. Even if you lose the device, you get to keep your data.

    Remember, it’s not the device that has the value, it’s the data your device contains that’s the really important stuff.

    Reply
  12. My data is stored on CCD hard drives. CCD’s produce neglible heat so they do not need cooling and therefore operate in an enclosed space. My hard drives are located in a locked, fire proof safe bolted to an external wall and are accessed using simple extension cables that pass through small holes drilled in the safe (of course some cutting and joining of cables is required to keep the access holes to minimal size so as not to compromise the fire proofing of the safe). If my computer is stolen, or the house burns down, only the hardware (minus hard drives) is lost; the data and the discs are in the safe from all but extreme circumstances.

    Reply
  13. WOW, someone else as diehard as I am – put the drives in a SAFE!
    I did that; western digital MyCloud, and also an attached USB drive.

    I use Syncovery, a synchronization program which can encrypt/zip the destination files, so even if they broke into the safe, the files are encrypted.

    I use Bitlocker on newer windows 10 machines, for encryption; I use Veracrypt for some external USB drives.

    for people that state that encryption/protection is hard; it is only inversely as hard as your desire to protect your data. if you put in redundant backup methods, with encryption on that end also, such as zipped files, drivecrypted files, etc, keep your bitlocker password/file stored separately, keep passwords in a password manager program such as KeePass, you’ve done everything you can to protect yourself up to an Electromagnetic Pulse attack !

    it is a pain sometimes to follow all this stuff, but the reason you ahve to do this is not because of you or your use of the machines, but because of the scammmers/hackers/thiefs that want to steal your data. So, if your data is valuable (and PHOTOS are valauable, if a ransomware attack screws up your photo collection, you lose family photo’s), then you need to take steps to protect it.

    but once you get into the habit, it is not too bad

    Reply
  14. My family think I’m paranoid because I take my laptop with me every time we leave the house. If someone remains at home, i might leave the laptop, but take my flash drive which has a copy of everything on the laptop.

    We have other laptops which remain in the house sitting very visibly on the table, despite the fact we have previous experience of laptop theft from the same location. No one is listening. They prefer the convenience of starting back just where they left off without having to set up and log back on again.

    Reply
  15. As a disabled (TBI) victim of “ID-THEFT”, I wish to ask Leo a VERY SPECIFIC question about someones’ mal-intentions in taking a picture of my PC during the “boot-up” phase & most certainly would make a pledge. My financial institutions accounts compromised numerous times this year tell me he wasn’t “HELPING” me but perhaps himself & if the answer(s) lead to arrest I would more than pledge as ever since I saw your site I have been looking for it 3 months! I will pledge regardless just to hear your feedback as I was deceptively taken advantage of when the person knows my disability and I now have heard there is a pattern here. I ask your personal feedback 1st and not to be published please. Respectfully, FRUSTRATED IN CT (Attorney & FTC involved)

    Reply
  16. Is there any way to TRULY wipe a hard drive (or any kind of storage device) because ALL current systems of data I know of only OVERWRITE every thing with random characters?
    That results in loss of total storage capacity of the hard drive or storage device.

    Reply
    • Wiping doesn’t use up any of the drive’s storage capacity. The only safe way to wipe a hard drive is to overwrite the drive with random characters. When this is done, the overwritten space is made available to the system to write new files.

      Reply
        • Drilling holes will also work but a few passes with DBAN or other disk wiping tools will also do the job. If you’re paranoid, make it 7 or more passes but for most people, one pass will do.

          Reply
  17. My laptop was held for Ransomware last week by a individual who passed himself off as a technician with Acer. I had to agree to
    pay him to be able to access my computer He has threatened me that if I do not pay he will prevent me to be able to access my
    laptop. My question is can he still have access to the computer if it is locked and not connected to the Internet. I removed it from
    the Internet. I just purchased this laptop in April 2018 and invested a good amount in it. I al also getting my Internet provider to
    change my IP address as a precaution. My question for you is can anyone access the computer if it is locked and not connected
    to the Internet

    Reply
    • As long as you remove the malware, he won’t be able to access your machine. Unfortunately the only way to be 100% sure the malware has been removed it to do a complete reinstall of Windows and all of your programs from scratch.
      https://askleo.com/how_do_i_remove_malware/

      To reinstall Windows, take a system image backup, perform a reformat and install of Windows, install all of your programs from their installation media, and finally, copy all of your usable data files from the backup. If they’ve already been encrypted by the malware, there’s no need to restore them because they’re unrecoverable.
      https://askleo.com/how-should-i-back-up-my-computer-before-an-operating-system-upgrade/

      Once everything is restored, do a system image and daily incremental backups to be able to recover from almost anything which can happen to pour computer.

      If you had a system image backup, you would have been able to restore to a point before the malware was installed.

      Reply
    • It depends on the ransomware, but typically once your computer has been infected by this malware it doesn’t matter if you’re online or off. When it’s not connected to the internet it cannot be connected to via the internet.

      Reply
    • I was threatened by some faker a couple of months ago – they said they had installed some malware when I had visited a porn site, and that malware enabled them to turn on my PC camera and video me pleasuring myself. It was a random email sent out to thousands, because I had never visited a porn site, and even funnier – I don’t have a camera on my PC (well I do, but it has to be hooked up and it is not). Sometimes these are just idle threats sent out to masses of people to see who might pay…

      Reply
  18. Laptop theft: Likely for resale BUT buyers request laptops from hotels & restaurants around Hi-Tech hubs … Cupertino, Dallas-Ft. Worth, etc. They’re seeking sensitive / classified data. Akin to buying used home printers & fax machines to steal personal info off the drives. Beware.

    Reply
  19. I have 2 laptops, a Dell and a HP, that have BIOS passwords set. One password is used for starting up, the other is the admin password for changing BIOS settings.
    My understanding about BIOS passwords is that if forgotten, it requires replacing the laptop motherboard. A couple of months ago, I tried asking a question on the HP Support Community about BIOS passwords. I found out quickly that it is a forbidden topic. (Moderators from HP will lock out the question, requiring some thought in wording the question to get around it.) It was during a spirited discussion that I found out about the motherboard replacement. The Dell community was a little more open to talking about BIOS passwords, with them also saying that it would require replacing the motherboard.
    Bottom line is if you decide to set a BIOS password on a laptop, do not forget it. Once powered down, it requires the password to be entered before the laptop even boots into the operating system when powering back up. If you use one, shutdown the machine when leaving it unattended. If it does happen to get stolen, it will end up as a nice paperweight for whoever gets it. Same goes for encrypting the drives in the laptop, as well.

    Reply
  20. Years ago (15 years ago maybe), I used VeraCrypt on my XP box. I had good luck with it. My current PC (Windows 7 – soon a Windows 10) has a lot of sensitive data on it. I’ve been thinking about using VeraCrypt again on a folder that contains sensitive data. Something in the back of my mind keeps asking, “Suppose VeraCrypt stops working, like, if there’s a bad spot on the disk where the VeraCrypt program resides”. Leo… can you help me (somehow) to overcome my hesitation with using VeraCrypt or a similar program? I also use Carbonite and EaseUsTodo, but the data there would be encrypted as well.

    Reply
  21. Does boxcryptor help if my laptop gets stolen? I understand that my files are encrypted and safe if my cloud provider has security issues. However, if my laptop gets stolen, my data/files are at risk, right? If the thief has access to my hard drive, he/she will see both the encrypted and the decrypted version of my files (because this is the way Boxcryptor works), correct?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.