If it’s so easy to change a Windows password, what’s the point? What method can I use to make my stolen Windows 7 more secure?
The normal answer is ‘prevent unauthorised physical access to the machine’ - but you’re talking about a machine that has been stolen and the thief has the luxury of the time to carefully break into your local profile.
Short answer is: you probably can’t stop someone who has your computer gaining access to log into it somehow or other, so if that’s a concern, you would need to assume it will happen, and figure out what steps need to be taken in advance to limit the damage when it does happen.
Damage limitation may comprise:
[ul]
[li]Don’t store any important data locally - save it to the cloud, or to some other storage solution that isn’t easy to steal; then if someone steals the machine, they may be able to log into it, but won’t find anything useful (well, as long as you’ve promptly changed your credentials on the cloud storage)[/li][li]If you do need to store things locally on the machine, use encryption with a key that is different from your Windows account credentials - so if they log in, they can’t actually look at your saved data[/li][li]Install a third party security solution that enables the disk to be remotely wiped, or that will wipe the disk when it detects suspicious activity (these do exist - often they are coupled with whole disk encryption utilities that use keys or credentials that cannot just be reset locally)[/li][/ul]
If your laptop is lost or stolen, a remote “self-destruct” feature may not work, because the thief can clone your disk before attempting to guess the password. In any case, you have to ask yourself what you are defending against. If all you want is to keep random people from logging in after stealing your laptop and turning it on, it will probably suffice to encrypt the entire disk with Bitlocker or VeraCrypt and require a non-guessable password or plugging in a special USB key in order to boot.
Really just reiterating the above but with a slightly different slant.
Once someone has physical access to a computer it is essentially impossible to stop them. This has been a mantra from very early times, and so far, for computers, it hasn’t changed*.
With the advent of cloud for all, it becomes possible to treat every computer you own as a cache, and not the prime repository of your data. You need to always treat computers as disposable. It might be stolen, catch fire, get run over by a truck at any time. Always be in the situation where all you need do is go buy a new computer and click a few thing to have it restore itself to a useful state to you. This isn’t the same as having backups.
If you want to keep your data secure and accessible the only known useful mechanism is to encrypt it. This adds pain, and can detract from performance. Data encrypted in cloud based storage with regular automatic synchronisation with your various computers is a useful paradigm to aim for. Version control of the cloud based store is more than just a good idea as well.
Providing decrypted access to your data becomes a bit more messy. You may well want a quite secure way of enabling this. Just a simple password is not terrific.
- where things have changes a lot is with smart phones. The iPhone and its ecosystem pretty much provide everything you want in terms of a secure computing environment. It has a secure enclave that makes access to encryption keys essentially impossible to all but state based actors. It provides a secure encrypted storage facility - so that your physical phone is simply a cache of your data. It provides a remote wipe capability and a remote disable capability - making phones worthless to steal. The painful bit is that you need to divest some of your control over the actual device. But if you regard the device as a cache, and not the actual repository, this view is a bit less painful.
BIOS passwords.
To avoid the method in the OP’s link you go into the BIOS*, turn off booting from anything but the main HD, set an admin password to prevent anyone else from changing the BIOS setting.
But that’s not really enough. You should be able to set a boot password** in the BIOS. I.e., when the computer boots up it asks for the password before initiating any sort of OS loading. These are quite common on laptops given the ease of theft. Getting around these requires certain hardware skills and purchases from sleazy online folk.
HDDs can also be encrypted and password protected in hardware in some cases and in software always.
- Or whatever they’re calling it now.
** Not the same as the admin password.
I’ve never tried any of them, but I think I recall hearing of solutions for this that were a)tied together with disk-level encryption and b)dependent on other features of the system such as ID of other hardware items - that would lock down tight (or wipe) if more than one of qualifying criteria was true - so you could change hardware, or reset a password, boot while disconnected, or get away with a couple of fat-finger login failures, but if you hit two or more of those criteria, you’re in trouble.
A popular slogan going around states that “There is no cloud; just other people’s computers”, and this is more or less correct. Simply storing your data on someone else’s machine is no guarantee that it’s any more secure, and in fact it may become even more of a target (since it will be stored together with potentially valuable data from other customers). If your data is confidential, then don’t store it unencrypted, whether or not it’s on the cloud.
This is absolutely trivial to bypass, even for someone with limited computing skills. Resetting the BIOS password is usually as simple as removing and replacing the battery; failing that, you can access the hard drive by removing it and putting it into a different computer. Even if the thief can’t do this himself, a computer repair store would do it for him in a few minutes, no questions asked.
-
Removing the BIOS battery on a laptop does absolutely nothing with regards to BIOS or bootup passwords. They are stored independently of the BIOS settings.
-
A BitLocker encrypted drive, when attached to any other machine, will immediately require the 48 character recovery key for any access.
While it’s true that storing your info on the cloud doesn’t stop thieves from stealing the cloud computers … cloud computers are usually under lock and key … I asked once and the owner of the local ISP he wouldn’t even tell me where his server farm was … the thieves know your computer is at home, but they probably don’t know where the cloud computers are … SO:
1] Keep your doors and windows locked …
2] Keep a big pile of $100 bills lying around … will thieves try to lug your computer off, or just swipe the cash and run? …
psychonaut: Note 1: that I said it only worked on the method given in the link. And 2: You didn’t quote my next sentence: “But that’s not really enough.”
I was making it clear that this was very limited.
My old work computer’s disk was encrypted, and I never noticed any performance issues and the only “pain” was typing in one more password.
As for storing everything on the cloud, that’s fine until you want access to your data when you are not connected to the internet, such as on a plane or ship. Making local copies before travel is fine, but travel is probably the riskiest time for computer loss, so I still think encryption works best.
My old company was very worried about this, and used encryption and forbade people from using the public cloud for company data.