Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Basic Security: Windows 7 Password


  • Please log in to reply
47 replies to this topic

#1 Magic Sam

Magic Sam

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brigadoon (Co Durham, UK)
  • Local time:05:05 PM

Posted 28 January 2015 - 03:50 PM

Am I fooling myself with the belief that by creating a Windows 7 password I am adding anything to my security - IF I can assume that the only threats will be "external / online" rather than from someone getting unauthorized physical access to my PC? 

 

I refuse to store any passwords on line but this has the downside that the task of recording and remembering them off line is made more difficult as each new one is added.  There was once a time that I stored them all on a floppy disc (low encryption), now life is much more complicated :(



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 28 January 2015 - 04:16 PM

Do you let applications like Internet Explorer remember your passwords?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Magic Sam

Magic Sam
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brigadoon (Co Durham, UK)
  • Local time:05:05 PM

Posted 28 January 2015 - 04:28 PM

I use Chrome but always try to erase all passwords at the end of each session (CCleaner).  But I regard the password that you can set up before accessing Windows as something different - and possibly superfluous as far as online threats are concerned.



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 28 January 2015 - 04:38 PM

I understand that.

 

But I was asking about Internet Explorer, because if you do, then setting a Windows logon password will offer better protection for the passwords Internet Explorer remembers.

But since you don't do that, there's no advantage.

 

And the user account that you use to logon has administrative rights?

 

There might be a legal advantage, depending on the laws of your country. Something like: if you don't set a password, then the content of your computer is not considered private.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Magic Sam

Magic Sam
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brigadoon (Co Durham, UK)
  • Local time:05:05 PM

Posted 28 January 2015 - 04:47 PM

The question arose when I was trying to establish / prove that I was in fact the "administrator", as one would expect to be on one's own sole use PC. I'm not too concerned with the legalities (you may well be right but I have never heard of an obligation to keep one's PC private), so for the sake of a  simple life I'm inclined to delete the Windows password.



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 28 January 2015 - 04:56 PM

If you are running as a normal user account (not administrator), then there is certain malware that tries to escalate its privileges by guessing the administrator's password.

If you don't set a password, then such malware can escalate its privileges.

 

But if you are running as administrator, it makes no difference.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Magic Sam

Magic Sam
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brigadoon (Co Durham, UK)
  • Local time:05:05 PM

Posted 28 January 2015 - 05:19 PM

I might just set a very simple easy to remember administrator's password.  As a matter of interest where and how do you and other experts store your passwords?



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 28 January 2015 - 05:22 PM

It makes no difference for such password guessing malware if you use a popular password, because they have a dictionary of popular passwords to try.

 

If you are running as administrator, there's no need in your case to set a password.

 

I use Keepass to store my passwords.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Magic Sam

Magic Sam
  • Topic Starter

  • Members
  • 225 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brigadoon (Co Durham, UK)
  • Local time:05:05 PM

Posted 28 January 2015 - 06:45 PM

Is Keepass online (only)? Or could you use it on an external drive?



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:05 PM

Posted 28 January 2015 - 06:51 PM

KeePass Password Safe - KeePass Downloads

Other third party Password Managers which can generate random passwords:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 PM

Posted 28 January 2015 - 06:57 PM

KeePass is local, but there's many open-source plugins related to the project that can be used online, such as a web extension for Google Chrome and even an Android app. If you want to use an online password manager, I recommend you to go with LastPass. They offer a lot of feature for a free version of the product and when you go Premium, you can have access to the mobile application as well, instead of logging in on their website from your mobile browsers and grab the passwords from there. I've been using LastPass (Premium) for the last few months now and I'm really satisfied with it. All my major account passwords: email, forums, bank, etc. have been generated using LastPass (25 random characters) and have 2FA (Two Factor Authentification) enabled on top of that. This is what you call account security :)

Also, if you are to use a password manager, go through Internet Explorer, Firefox and Google Chrome and make sure that there's no passwords there as they can be easily stolen by "stealers" malware.

Edited by Aura., 28 January 2015 - 06:58 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:05 PM

Posted 28 January 2015 - 06:58 PM

BTW...you may want to read these articles about passwords.

...“123456”and “password” continue to hold the top two spots that they have held each year since the first list in 2011....SplashData's list of frequently used passwords shows that many people continue to put themselves at risk by using weak, easily guessable passwords....

2014 SplashData’s Annual “Worst Passwords” List

2013 was a wildly visible year for cyber security and online privacy...And yet for all the visibility, punditry, and drama, new data suggests that internet users are still terrible at choosing a good password...

It’s 2014 And Our Passwords Aren’t Getting Better
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 rp88

rp88

  • Members
  • 2,999 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:05 PM

Posted 28 January 2015 - 07:19 PM

A password on a windows computer has some security value but it is by-no-means an inpenetrable way to protect your data. Putting a password on the login to your computer will make it harder for indidividuals with physical access to it to interfere with your files and settings, but there are still many, many ways that a sufficiently skilled individual with physical access can get into your admin account and from there read everyting on your machine or modify your settings or files.

As for the more common threat, remote attacks and malware i don't think the presence of a password has much effect, but i might be wrong about this, especially if you have anything like UAC enabled.

The main thing a windows password will do is keep honest people honest and stop anyone who has a few minutes alone with your computer from changing it's settings or prying into your files, but if an attacker has physical access for more than 20 minutes or so and reasonable skill then the windows password won't offer much protection.

There are good reasons for the password to logon to the admin account of a windows machine not to be impossible to bypass, afterall computer repair shops need to be able to "unlock" machines when the owners forget their passwords.

If you have prvate data on the device you should consider encrypting it within an encrypted volume (i don't know much about them) or within an encrypted archive, i use these in the form of 7z archives. This should have a long hard to guess password and not be the same as your windows one. If you use that method then although an attacker with physical access, time and skill could hack your machine/delete files/install malware they could NOT read your private files as the encryptions protecting archives and volumes are usually pretty un-breachable. What's more if your forget the pasword you are not locked out of your whole pc (you can stil run programs, browse the web and read your less private files which you didn't encrypt), just locked out (for all eternity unless you remember that password) from the few (or many) private files you chose to encrypt. In the case of remote attacks these encrypted archives are just as tough as for attacks by physically present snoopers, AND AS LONG AS there is not an incident where the attacker (remote or local) installs a keylogger which you don't realise the existence of until after it has watched you entering your password to the private archive/volume then the private files will stay private.


I would suggest you have a password for logging into the admin account of your machine, but it needn't be a superstrong (though it's a good idea to use a reasonably strong one: longish, not a dictionary word, not an insult or other profanity, not a football team, not a friend/familymember/pet, not anything based on "password", not "letmein" or "openup", have a few letter for number substitutions) one and it would be safe to write down as long as the written copy is kept in a locked safe or something. For private data it should go in an encrypted archive/volume whose password should NEVER be written anywhere and must be very strong. This method of encrypting the private archve/volume would ensure even the computer repair shop couldn't read your private documents if you ever needed to take your machine in for anything, and the encrypted archive could be backed up onto USB sticks and it's security wouldn't be compromised by doing so.

I use 7z for making encrypted archives, if you want to go down the "volumes" route there is a famous piece of software called truecrypt however there have been recent questions asked about it's security because it's own developers claimed it was no longer secure despite independent programmers looking over it's open source code and verifying it was safe, as yet it's not proven which side was correct in that debate.

Edited by rp88, 28 January 2015 - 07:31 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 29 January 2015 - 02:47 AM

Is Keepass online (only)? Or could you use it on an external drive?


No Keepas is offline only. I don't use online password managers.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 PM

Posted 29 January 2015 - 06:37 AM

Is Keepass online (only)? Or could you use it on an external drive?


No Keepas is offline only. I don't use online password managers.


Do you use the Chrome KeePass plugin or not? What do you do when you're on another computer and need to access an account?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users