Maybe like a cheap padlock.
The security provided by a Windows login password is highly overrated.
It doesn’t protect you from many of the things that you’ve mentioned, and it’s pretty darned easy to circumvent.
You should probably have one, and with the migration to Microsoft accounts, you’ll need one (though you can still log in automatically); just be aware of what it gets you and (especially) what it doesn’t.
Become a Patron of Ask Leo! and go ad-free!
Is your Windows login secure?
Your Windows login doesn’t really protect your computer’s contents from theft. While it will keep honest people honest, it’s not a comprehensive security tool. Instead, rely on things like physical security, encryption, and other best practices for staying safe.
The biggie: theft
If someone takes your computer, they don’t need your password.
There are several approaches a thief can take to compromise your computer and/or steal your data.
- They may be able to set a new administrator password and then do whatever they please. I’ve Lost the Password to My Windows Administrator Account, How Do I Get It Back? has the technique.
- They may be able to boot from something other than the hard drive, run a different operating system, and then access the contents of your hard disk.
- They may be able to remove the hard disk from your machine and access its contents on another computer.
The lesson is simple: having a password on your Windows login gets you zero security should your computer be stolen.
Or put the way I usually put it: if your computer’s not physically secure, it’s not secure.
What a Windows log-in password does get you
Not much.
I view the Windows login as a cheap padlock. It keeps honest people honest and prevents a few mistakes, but is not much of a deterrent to someone who’s really intent on breaking in.
I don’t see how it slows down malware infections since those happen when you’re already logged in, using a password or not. The only scenario slightly impacted might be malware trying to get administrative privileges. If there’s no administrator password, perhaps it could. But that scenario seems rare, especially given that the true “Administrator” account is disabled by default and UAC is enabled for all other accounts.
Login passwords are useful, and perhaps even required, for some things:
- Preventing unauthorized access to your files by other computers on your local network.
- Allowing authorized access to your files when using other computers on your local area network.
- Signing into your desktop computer remotely.
My Windows machines all have log-in passwords for two reasons:
- I now use Microsoft accounts for all, which requires a password.
- I want to be able to log in using Remote Desktop.
On machines I don’t expect to travel with, I typically have automatic login turned on so I still don’t have to enter the password.
I do not password my Windows login for any serious security.
Do this
So if the Windows login doesn’t make your data secure, what does?
Particularly for portable computers you take with you, the most important things you can do are:
- Enable BitLocker whole-disk encryption.
- Do not enable automatic login.
You might also consider those steps for desktop machines where you can’t control physical security. If anyone can walk up to the machine, they can do anything.
For all machines, then, staying secure comes back to our common list of best behaviors:
- Have good security software.
- Keep all your software — security, applications, and operating system — as up to date as possible.
- Be skeptical and on guard. That means not opening attachments you don’t expect and learning to recognize and not fall for phishing attempts.
- Back up religiously.
But definitely don’t assume that the Windows login really helps.
And while you’re at it, subscribe to Confident Computing! More tips like this, less frustration, and more confidence, solutions, and answers in your inbox every week.
Podcast audio
Related Video
I recently found how easy it was to reset the password on Windows7. My father purchased a new 7 computer and before he could write down his password, he forgot it. I Googled it and found a place that would sell me the software to unlock 3 machines for 19 dollars. I paid the 19, burned the download to a disk and in 3 minutes had reset his password. I left the disk with him in case it happens again. I did not realize that it was that easy. Now we know.
31-Mar-2010
The only time it’s useful is when you’re part of a network of other computers and that there are other people.
You should have atleast a basic password on an account. This will atleast stop anyone from entering your computer via the network or from physically login to your computer. Also unlike Leo most people don’t have a clue as to what a firewall is.
If you have children in the house and are concerned that they would destabilize your computer then have a password.
People of technical know-how already know that having a passwordless system would jeopardize the system if your firewall or network security goes down.
But as Leo says when the computer is stolen there is nothing that would protect it.
Windows passwords are not worth the Post-it notes you write them on. There are a number of readily available, perfectly legitimate tools that will find and remove passwords. I often use alternative Operating Systems like Linux Puppy or Ultimate Boot CD to retrieve gigabytes of data from Windows machines that have become infected or corrupted in some other way. Boot from either of these two options, and the security provided by your Windows password simply ceases to exist. Your Windows password protects you from honest people, but that’s about it.
Thanks Leo, that’s v useful and informative. I just rely on the W7 password to stop other people in the house using my machine. If it gets stolen I aren’t that bothered. My data is backed up and at another location, so even if the place burns down I’ve still got my i-Tunes !!!!
Bitlocker only works on Professional versions of Windows and not the home version I believe most people reading this article are using. You can use Veracrypt for whole disk encryption. It’s absolutely free for all usage including commercial use.
There are Veracrypt versions available for Mac and Linux.
There are a few things I do to make my computer physically more secure. I have a Microsoft account, but I have made it password-less so there is no password to hack. I use Windows Hello with a fingerprint scanner for logins (and a locally stored pin in the event something goes wrong with the fingerprint scanner). I have BitLocker encrypted all the Windows partitions on my PCs. I have enabled password protection for access to my UEFI system (also locally stored) using a passphrase I will never forget.
You may be able to steal my computer(s), but you will never be able to steal my data, at least you will not be able to access it on the hard drive. My laptops are configured to lock the screen after five minutes or when the lid is closed, and I close the lid when I’m not actively using my laptops. If you get my desktop, it will have to be powered down for you to take it. You will never get back into it after you power it up again, at least not without my passphrase to access my UEFI, or my fingerprint/pin to log in. Even if you put my drive(s) on another computer, since they are encrypted, you will get nothing. In a worst-case scenario, you (the thief) will waste a lot of time, effort, and risk to get nothing more than the hardware.
Windows stores its activation code somewhere on my computer so when/if I do a clean install, Windows will be ‘automatically’ activated afterwards. I would like it if Microsoft required that the same Microsoft account be used, or a valid activation code be entered for activation to succeed. Then, a thief would not be able to do a clean install of Windows and use or sell my PC unless (s)he had a valid activation code (not an impossibility, but then at least it would cost the thief something).
I have enabled 2FA on all my accounts that support it using Microsoft Authenticator. I use Windows Defender as my antimalware suit. Currently, it is rated among the best antimalware apps https://www.neowin.net/news/microsoft-defender-beats-out-several-heavyweight-rivals-in-the-latest-av-test-ranking/. None of these will make my computers impervious to intrusion or theft but doing them and remaining very skeptical on the Internet may make me and my computers a hard enough target that the bad guys will move on to easier pickings. I can only hope,
Ernie
Bitlocker protected drives can be backed up. The resulting backup will be unencrypted by default, but most, if not all backup programs allow you to encrypt your backups.
How do I back up my encrypted data?
The article I linked to is old and Truecrypt no longer is supported. All of the same things apply to Veracrypt and the whole disk encryption