Maybe like a cheap padlock.
The security provided by a Windows login password is highly overrated.
It doesn’t protect you from many of the things that you’ve mentioned, and it’s pretty darned easy to circumvent.
You should probably have one, and with the migration to Microsoft accounts, you’ll need one (though you can still log in automatically); just be aware of what it gets you and (especially) what it doesn’t.
Become a Patron of Ask Leo! and go ad-free!
Is your Windows login secure?
Your Windows login doesn’t really protect your computer’s contents from theft. While it will keep honest people honest, it’s not a comprehensive security tool. Instead, rely on things like physical security, encryption, and other best practices for staying safe.
The biggie: theft
If someone takes your computer, they don’t need your password.
There are several approaches a thief can take to compromise your computer and/or steal your data.
- They may be able to set a new administrator password and then do whatever they please. I’ve Lost the Password to My Windows Administrator Account, How Do I Get It Back? has the technique.
- They may be able to boot from something other than the hard drive, run a different operating system, and then access the contents of your hard disk.
- They may be able to remove the hard disk from your machine and access its contents on another computer.
The lesson is simple: having a password on your Windows login gets you zero security should your computer be stolen.
Or put the way I usually put it: if your computer’s not physically secure, it’s not secure.
What a Windows log-in password does get you
I view the Windows login as a cheap padlock. It keeps honest people honest and prevents a few mistakes, but is not much of a deterrent to someone who’s really intent on breaking in.
I don’t see how it slows down malware infections since those happen when you’re already logged in, using a password or not. The only scenario slightly impacted might be malware trying to get administrative privileges. If there’s no administrator password, perhaps it could. But that scenario seems rare, especially given that the true “Administrator” account is disabled by default and UAC is enabled for all other accounts.
Login passwords are useful, and perhaps even required, for some things:
- Preventing unauthorized access to your files by other computers on your local network.
- Allowing authorized access to your files when using other computers on your local area network.
- Signing into your desktop computer remotely.
My Windows machines all have log-in passwords for two reasons:
- I now use Microsoft accounts for all, which requires a password.
- I want to be able to log in using Remote Desktop.
On machines I don’t expect to travel with, I typically have automatic login turned on so I still don’t have to enter the password.
I do not password my Windows login for any serious security.
So if the Windows login doesn’t make your data secure, what does?
Particularly for portable computers you take with you, the most important things you can do are:
- Enable BitLocker whole-disk encryption.
- Do not enable automatic login.
You might also consider those steps for desktop machines where you can’t control physical security. If anyone can walk up to the machine, they can do anything.
For all machines, then, staying secure comes back to our common list of best behaviors:
- Have good security software.
- Keep all your software — security, applications, and operating system — as up to date as possible.
- Be skeptical and on guard. That means not opening attachments you don’t expect and learning to recognize and not fall for phishing attempts.
- Back up religiously.
But definitely don’t assume that the Windows login really helps.
And while you’re at it, subscribe to Confident Computing! More tips like this, less frustration, and more confidence, solutions, and answers in your inbox every week.