No Windows Password - Good/Bad?

Monopoly money comes in many flavors: 7, Vista, XP, 2K, ME, 98, etc.

Moderators: Flying Fox, Ryu Connor

No Windows Password - Good/Bad?

Postposted on Thu Jun 06, 2013 12:21 pm

I'm having a hard time finding the answer to this question using google searches. Basically, the title says it all. Does not setting a password to log on to Windows make you vulnerable to security attacks? I typically don't set passwords on my desktop machines that stay in my house at all times. I do set passwords on my portable devices though.
i5-3570K, ASRock Z77 Pro4-m, Asus GTX660 TOP, 120 GB Vertex 3 Max IOPS, 2 TB Samsung EcoGreen F4, 8GB G-Skill @1.25V, Silverstone PS07B
DPete27
Gerbil Jedi
Silver subscriber
 
 
Posts: 1679
Joined: Wed Jan 26, 2011 12:50 pm
Location: Madison, Wisconsin

Re: No Windows Password - Good/Bad?

Postposted on Thu Jun 06, 2013 12:34 pm

As long as you don't store any sensitive information on your machine, it's not that big a deal. But you should probably set a password anyway. And if you are storing sensitive info on your machine, you not only need a password but some drive encryption as well.
Dell XPS 8100 - Core i7 860 - 8GB DDR3-1333 - Gigabyte HD 7850 - 1.5TB 7200rpm HDD - Acer 20" LED monitor (1600*900) - 350W PSU
ultima_trev
Gerbil
 
Posts: 82
Joined: Sat Mar 27, 2010 11:14 am

Re: No Windows Password - Good/Bad?

Postposted on Thu Jun 06, 2013 1:57 pm

My rule of thumb:

Desktop: No password.
Laptop: Password.
Work Computer: Password.
Carpe diem quam minimum credula postero
sid1089
Gerbil Team Leader
 
Posts: 290
Joined: Wed Jul 26, 2006 4:56 am

Re: No Windows Password - Good/Bad?

Postposted on Thu Jun 06, 2013 2:08 pm

For outside hackers gaining access to your system, it's not going to make any difference: typically those attacks are vectored through software you install (mistakenly, inadvertently, or unknowningly) and of course that installation happens after you're already logged in. So it doesn't really have any impact on remote access.

The Windows password (as far as the local machine is concerned -- ie, assuming you're not actually logging into a domain, etc) is essentially intended to keep other local users out. If you're the only person who's going to sit down at that machine -- and it's not a laptop that might wander away -- your security isn't affected in any practical way by not having a password. However, if other users might use your machine, they should each have accounts and everybody should have passwords. And if other people might have access to your machine when you're not around -- roommates, friends of roommates, kids, etc -- you definitely want to have a good password. (Of course this only protects you from casual exploits / bad behavior like logging onto your facebook account and posting something unfortunate, or visiting questionable websites, etc: if someone has physical access to your machine, they effectively have access to everything on that machine including any sensitive data and any logins you might have stored there, which is where drive encryption and other techniques start to matter, though physical access by untrusted actors is problematic even for the most security-conscious organizations).
UberGerbil
Gerbil Khan
 
Posts: 9993
Joined: Thu Jun 19, 2003 3:11 pm

Re: No Windows Password - Good/Bad?

Postposted on Thu Jun 06, 2013 4:24 pm

I set a password on my account even for systems at home. Bottom line is, I'm fairly confident that *I* practice "safe computing", but I don't necessarily trust everyone else in the household to do the same. Unless there's nobody else on your LAN (and how secure is your WiFi? maybe your neighbors are effectively on your LAN too...), or you've got file sharing (and any other services which could give someone else access over the network) disabled, you really should have a password.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37834
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: No Windows Password - Good/Bad?

Postposted on Thu Jun 06, 2013 4:33 pm

To answer a few questions:
1) I don't feel as if anything on my computers would be particularly sensitive data. I keep paper and electronic copies of finance-related things locked in safes. I also keep computer backups on an external hdd.
2) It's only myself and the misses on our network. Obviously, once we have kids, I'll set passwords and (limited) user accounts.
3) My WiFi password looks to be a computer-generated random sequence of 9(ish) numbers provided by my ISP. I haven't bothered changing the password. Seems pretty secure to me.
i5-3570K, ASRock Z77 Pro4-m, Asus GTX660 TOP, 120 GB Vertex 3 Max IOPS, 2 TB Samsung EcoGreen F4, 8GB G-Skill @1.25V, Silverstone PS07B
DPete27
Gerbil Jedi
Silver subscriber
 
 
Posts: 1679
Joined: Wed Jan 26, 2011 12:50 pm
Location: Madison, Wisconsin

Re: No Windows Password - Good/Bad?

Postposted on Thu Jun 06, 2013 5:15 pm

DPete27 wrote:To answer a few questions:
1) I don't feel as if anything on my computers would be particularly sensitive data. I keep paper and electronic copies of finance-related things locked in safes. I also keep computer backups on an external hdd.

Does your (unprotected) account had admin privileges? If so, you're susceptible to drive-by malware installs. Which in turn makes you vulnerable to identity theft via keyloggers and rootkits if you ever use your computer to conduct *any* sensitive business, regardless of whether you store any of it on the internal hard drive. (HTTPS doesn't protect you here, since keyloggers and rootkits can intercept the data before it gets encrypted for transmission over the HTTPS connection.)

DPete27 wrote:2) It's only myself and the misses on our network. Obviously, once we have kids, I'll set passwords and (limited) user accounts.

Ahh, OK. So this unprotected account DOES have admin rights.

DPete27 wrote:3) My WiFi password looks to be a computer-generated random sequence of 9(ish) numbers provided by my ISP. I haven't bothered changing the password. Seems pretty secure to me.

Except that someone at your ISP probably has a record of it, and that record may even indicate the name and address of the customer it was issued to. Your ISPs subscriber database can be hacked, or (more likely) stolen by a disgruntled employee and sold to the highest bidder. Having an extra layer of password protection at least puts the WiFi security under your control, instead of trusting your ISP to keep their records safe. At the very least, you need to change the default WiFi password.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37834
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: No Windows Password - Good/Bad?

Postposted on Thu Jun 06, 2013 5:28 pm

It takes a couple of seconds to type your password and press enter. Why risk it?
slowriot
Gerbil First Class
Gold subscriber
 
 
Posts: 157
Joined: Wed Apr 03, 2013 10:57 am

Re: No Windows Password - Good/Bad?

Postposted on Thu Jun 06, 2013 7:39 pm

sid1089 wrote:My rule of thumb:

Desktop: No password.
Laptop: Password.
Work Computer: Password.


This is the way to do it, unless your system is available to other local users. A basic Windows passsword is effectively zero protection against any sort of attack because the filesystem itself is out there for all to see and play with. BitLocker is a bit more useful but it only protects you against the hard drive being stolen, once it's powered up and decrypted anyone who sneaks on can access whatever.
NovusBogus
Gerbil Elite
 
Posts: 520
Joined: Sun Jan 06, 2013 12:37 am

Re: No Windows Password - Good/Bad?

Postposted on Fri Jun 07, 2013 8:31 am

just brew it! wrote:Does your (unprotected) account had admin privileges? If so, you're susceptible to drive-by malware installs. Which in turn makes you vulnerable to identity theft via keyloggers and rootkits if you ever use your computer to conduct *any* sensitive business

Not sure I understand how having a Windows log-in password will protect me from keyloggers and rootkits? Those things sound like something that a firewall and/or virus protection handles.
i5-3570K, ASRock Z77 Pro4-m, Asus GTX660 TOP, 120 GB Vertex 3 Max IOPS, 2 TB Samsung EcoGreen F4, 8GB G-Skill @1.25V, Silverstone PS07B
DPete27
Gerbil Jedi
Silver subscriber
 
 
Posts: 1679
Joined: Wed Jan 26, 2011 12:50 pm
Location: Madison, Wisconsin

Re: No Windows Password - Good/Bad?

Postposted on Fri Jun 07, 2013 11:13 am

DPete27 wrote:
just brew it! wrote:Does your (unprotected) account had admin privileges? If so, you're susceptible to drive-by malware installs. Which in turn makes you vulnerable to identity theft via keyloggers and rootkits if you ever use your computer to conduct *any* sensitive business

Not sure I understand how having a Windows log-in password will protect me from keyloggers and rootkits? Those things sound like something that a firewall and/or virus protection handles.

If you run with admin privileges and no password, anything that gets past your AV can install itself without you realizing anything is amiss. I agree, the password doesn't protect you once the malware is already in.

Firewall doesn't protect you from drive-by malware downloads at all, since the malware is typically attached to a web page that you visit on a compromised web site. Since you requested the page, the firewall automatically assumes the traffic is legit. Firewall only protects you from people actively trying to probe your network from outside.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37834
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: No Windows Password - Good/Bad?

Postposted on Fri Jun 07, 2013 11:33 am

just brew it! wrote:If you run with admin privileges and no password, anything that gets past your AV can install itself without you realizing anything is amiss.

And having a Windows password prevents these malware that get around AV from installing on your computer without first entering(cracking) your Windows password?
i5-3570K, ASRock Z77 Pro4-m, Asus GTX660 TOP, 120 GB Vertex 3 Max IOPS, 2 TB Samsung EcoGreen F4, 8GB G-Skill @1.25V, Silverstone PS07B
DPete27
Gerbil Jedi
Silver subscriber
 
 
Posts: 1679
Joined: Wed Jan 26, 2011 12:50 pm
Location: Madison, Wisconsin

Re: No Windows Password - Good/Bad?

Postposted on Sat Jun 08, 2013 5:13 am

Burglars exist. Why not have a password? My password's fricken' huge, and I type it every time. It's not that big of a deal.
Sagan: Phenom II X6 1055T + Xigmatek HDT-S1284 | 8 GB (2 x 4 GB) DDR3-1600 | 2 x 1 TB Hitachi HD31000 HDD | XFX Radeon HD 6850 + AC Accelero Twin Turbo Pro | ASUS Xonar DX | Silverstone Kublai KL04B
My HeatWare
The Great Graphics Card Warranty Thread
A_Pickle
Gerbil Elite
 
Posts: 719
Joined: Sun May 01, 2005 2:10 pm
Location: Fighting the mystery meat.

Re: No Windows Password - Good/Bad?

Postposted on Sat Jun 08, 2013 2:34 pm

DPete27 wrote:
just brew it! wrote:If you run with admin privileges and no password, anything that gets past your AV can install itself without you realizing anything is amiss.

And having a Windows password prevents these malware that get around AV from installing on your computer without first entering(cracking) your Windows password?


I think he's envisioning malware executing a sudo or su in Linux to achieve privilege escalation. A blank password would aid that attack extensively.

UAC doesn't work the same way as sudo or su. Not having a password doesn't remove the effectiveness of preventing malware from auto-elevating through UAC.

Of course so many enthusiasts these days cut off UAC that odds are the discussion is irrelevant.

A_Pickle wrote:Burglars exist. Why not have a password? My password's fricken' huge, and I type it every time. It's not that big of a deal.


Burglars who steal your machine need not worry about your password. Odds are they just want to flip your machine and make money. Whoever buys it will probably just wipe it.

Say that they do want your information. They'll just modify the SAM database with tools like NTPasswd and carry about password hash replacement. You need whole disk encryption and a good password to protect your data. Even better is if your system supports Intel's Anti-Theft technology, but that is typically only available in laptops.

A password is a mild local protection. I think it's a good idea versus no password, but I wouldn't have any illusions about the level of protection it provides.

If the attacker can touch the machine, it's not going to end well.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3558
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: No Windows Password - Good/Bad?

Postposted on Sun Aug 11, 2013 3:35 am

Agreed, it depends on who you live with, and how devious they are, consider listing your friends too. I have no password, cuz i doubt my 6 year old son will do too much, and the misses can use facebook only.
td1353l
Gerbil
 
Posts: 27
Joined: Mon May 14, 2012 9:16 pm

Re: No Windows Password - Good/Bad?

Postposted on Sun Aug 11, 2013 8:49 am

td1353l wrote:Agreed, it depends on who you live with, and how devious they are, consider listing your friends too. I have no password, cuz i doubt my 6 year old son will do too much, and the misses can use facebook only.

You'd be surprised how much damage a small child (or toddler) can do! And I'm not even counting stuff like putting a slice of cheese in the DVD drive, giving the mouse a "drink", peanut butter in the USB ports, etc... :lol:

You're probably safe from food-related incidents now, at 6 he should know better. But he's probably more capable of doing unintentional damage to the contents of your hard drive if he's allowed on the system at all!
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37834
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: No Windows Password - Good/Bad?

Postposted on Sun Aug 11, 2013 9:33 am

UberGerbil wrote:The Windows password (as far as the local machine is concerned -- ie, assuming you're not actually logging into a domain, etc) is essentially intended to keep other local users out. If you're the only person who's going to sit down at that machine -- and it's not a laptop that might wander away -- your security isn't affected in any practical way by not having a password. However, if other users might use your machine, they should each have accounts and everybody should have passwords. And if other people might have access to your machine when you're not around -- roommates, friends of roommates, kids, etc -- you definitely want to have a good password. (Of course this only protects you from casual exploits / bad behavior like logging onto your facebook account and posting something unfortunate, or visiting questionable websites, etc: if someone has physical access to your machine, they effectively have access to everything on that machine including any sensitive data and any logins you might have stored there, which is where drive encryption and other techniques start to matter, though physical access by untrusted actors is problematic even for the most security-conscious organizations).


I disagree with the part I've emphasised. I have alternate accounts set up on my computer for other users for "casual" computer usage, but for each standard account I have set up NTFS permissions as follows:
* Reading or modifying my backups is denied;
* Access to "C:\Users\[insert my account name]" is completely denied;
* Writing to anything on C: except for the "Users\[their own]" and "Users\Public" folders is denied;
* Access to the other partitions and drives is completely denied (they may not even read the root folder);

In addition, "Parental Controls" -- however inappropriately named in my case -- adds a second layer of protection: no executable files are permitted to load and/or run other than those I've explicitly whitelisted with my own administrator password. (This has the side effect of rendering Chrome's jerkweed auto-update feature unusable, so I update Chrome by hand every month or so.)

Acquaintances are literally only permitted to browse the internet and play a few videogames I've whitelisted. It's like a high-performance terminal when I'm not here.
Meadows
Grand Gerbil Poohbah
Silver subscriber
 
 
Posts: 3188
Joined: Mon Oct 08, 2007 1:10 pm
Location: Location: Location

Re: No Windows Password - Good/Bad?

Postposted on Sun Aug 11, 2013 9:41 am

just brew it! wrote:If you run with admin privileges and no password, anything that gets past your AV can install itself without you realizing anything is amiss.

Theoretically yes, but said "anything" may only install itself with standard privileges. If it tries to acquire special or administrative rights, UAC will halt it whether you have a password or not.
Meadows
Grand Gerbil Poohbah
Silver subscriber
 
 
Posts: 3188
Joined: Mon Oct 08, 2007 1:10 pm
Location: Location: Location

Re: No Windows Password - Good/Bad?

Postposted on Sun Aug 11, 2013 10:09 am

Meadows wrote:
UberGerbil wrote:if someone has physical access to your machine, they effectively have access to everything on that machine including any sensitive data and any logins you might have stored there

I disagree with the part I've emphasised. I have alternate accounts set up on my computer for other users for "casual" computer usage, but for each standard account I have set up NTFS permissions as follows:
* Reading or modifying my backups is denied;
* Access to "C:\Users\[insert my account name]" is completely denied;
* Writing to anything on C: except for the "Users\[their own]" and "Users\Public" folders is denied;
* Access to the other partitions and drives is completely denied (they may not even read the root folder);

Unless you've disabled booting from external devices in the BIOS, password-protected the BIOS so that nobody else can change the BIOS settings, physically secured the case so that only you can open it, and check the back of the computer every time someone else has had physical access to make sure a hardware keylogger hasn't been installed between your keyboard and the PC, UberGerbil's statement still holds.

Using encryption (e.g. BitLocker) would protect you from most physical attacks, but even that would still leave you vulnerable to hardware-based keyloggers if you are only using PIN-based authentication...
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37834
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: No Windows Password - Good/Bad?

Postposted on Sun Aug 11, 2013 11:15 am

Windows passwords are useful for various network situations, as well as for RDP. Obviously, it's not going to protect your system from other vulnerabilities from applications, etc., nor from someone booting the system into Linux and running chntpw, but I don't think it hurts to have.
C-A_99
Gerbil First Class
 
Posts: 151
Joined: Tue Apr 06, 2010 9:46 pm

Re: No Windows Password - Good/Bad?

Postposted on Sun Aug 11, 2013 11:44 am

just brew it! wrote:Unless you've disabled booting from external devices in the BIOS, password-protected the BIOS so that nobody else can change the BIOS settings, physically secured the case so that only you can open it, and check the back of the computer every time someone else has had physical access to make sure a hardware keylogger hasn't been installed between your keyboard and the PC, UberGerbil's statement still holds.

That's true.

Then again, such "extreme" measures are not necessary in my case, but I would definitely consider them if it were, say, a public access computer in a fast food restaurant or the like.
Meadows
Grand Gerbil Poohbah
Silver subscriber
 
 
Posts: 3188
Joined: Mon Oct 08, 2007 1:10 pm
Location: Location: Location

Re: No Windows Password - Good/Bad?

Postposted on Sun Dec 15, 2013 2:36 am

If someone were to somehow make their way onto your network (via wireless or whatnot), they'd have an easier time accessing your system if you're running without a password. I know Windows likes to enable media-sharing and a bunch of Homegroup crap by default these days.
i5 2500k - P67 - GTX660 - 840 Pro 256GB - Xonar Essence STX - Senn HD595's
The Egg
Gerbil Elite
 
Posts: 505
Joined: Sun Apr 06, 2008 4:46 pm


Return to Windows

Who is online

Users browsing this forum: No registered users and 4 guests