Laptop Security?

Hey all. Does anyone have any suggest for keeping their laptop secure? I use antivirus protection but its free but it seems okay.

I want to know, do people here all have a password when they start up their laptop? I do not have one so if someone had access to my laptop they can just turn it on etc. So how would i do this?

I use windows 10.

Also if i do this, does that mean no one can turn on the computer without a password no matter what? Thus the only thing you can do would be reinstall windows 10? But doing this means everything is erased right?

The thing is for passwords, you should be using programs to do that. But what about just your computer security etc? Like imagine someone has access to it.. sure they might not be able to access certain sites if they dont have your password. But couldnt they just click on their virus links and they could now log into your accounts? I read this is something called like keylogger or something like that? But if someone has access to your computer, then they cannot do this assuming you do not have the computer?

Im wondering what precautions should one take with their computers.

 

Maybe the info here will be useful (but -not- the 1st post, was edited by some spammer)

http://forum.notebookreview.com/threads/how-to-password-protect-laptop-and-documents.807821/

 

That is a start make sure it's one that you research that works as it says. I use Defender and before that MSE which all worked fine for me and doesn't hog my system RAM to run and do it's job.

No by default most people laptop aren't set but if you let someone use your laptop then they have all the access KEYS. But this is why with the newer O/S you should password lock the Admin/Owner account that only can be used for updates and trusted software install and create a Limited user account that has no Admin/Owner access. This works on computers used in a Family so kids and Adults that can't screw up the system but only their accounts which can be deleted and reset without causing the Admin/Owner account damages. This last part is what most owners of their laptops don't do and will regret it sooner then later.

Good to have the latest version as this will protect your core investments since it will be updating and keep the O/S safe from harm-unless you the user does it themselves.

Yes, no one can turn it on until you create a limited user account then they can use the software but do nothing more to damage it. So the question your asking contains multiple answer but if you set the Admin/Owner password lock then no one can use it.

No you the user should create it so you remember it otherwise what is the point. If you lock the Admin/Owner with password others with the limited account can't change or uninstall or delete without the admin/owner login and password to do such actions. They basically are Read-Only and write to their folder but not to the Admin/Owner account.

If you don't want others using it then secure it away-that's the fast way to secure it from tricky fingers. Otherwise Password lock the Admin/owner account and make a limited user account you and other can use and have no access to the admin/owner account. I've told users on here many times "STOP" using your Admin/Owner account like it's a everyday account your asking for trouble and it will find you sooner then you think-don't think for once because your the owner that you won't do damage but that is precisely the reason why you should only use the Limited account to stop damages.

 

You should have a password for the administrator account at the very least. I'm assuming you're using that instead of a standard account (which you should use), in which case you just tell Windows to ask for the password at startup instead of automatically logging you (or an attacker) in.

No, you can still turn on the computer if you enable the login screen, a person just can't log into Windows without it. The computer will still be on.

However, an attacker can simply take the storage drive out of the computer and read the files without having to find out your account password. Use encryption (either per-file or full disk) to prevent this.

If an attacker has physical access to your computer, consider it gone/compromised/attacked/etc.

One very good security tip for laptops is to simply not let it out of your sight.

 

How do i set up a password for windows 10? The admin password etc?


Well when i first start up the computer, there is nothing to enter etc.

Hey there. Well i mean what if something happens to your laptop such as it gets stolen etc. Thus if someone has that laptop, well what can be done before this where even if they have the laptop, they can only complete reinstall it and use it like new as oppose to opening up the computer and checking whats there and also checking out the hard drive etc.

I heard someone mentioning even with a password, that isn't good enough? Thus the windows 10 password? Heard something about encrypting the hard drive?

Can someone who uses windows 10 tell me what is proper way to make sure the computer is safe where if you do not enter a password when you first log in, then you cannot ever access the computer? Of course the risk is if you forget your password, then you cannot log back in etc.

 

If you want to set up a computer to completely self-destruct after a failed login attempt, maybe hook up a bomb to the inside of the computer and set it to blow up with a failed login attempt? .

In all seriousness though, it's unrealistic of you to say that an attacker with physical access to your machine cannot take he drive out of the computer. It's not a difficult task to accomplish and is something I'd do if I had to get files off a computer protected by a login password (I wouldn't even bother trying to guess the password at all, actually).

For encrypting the whole disk, you can look into Bitlocker (comes with certain versions of Windows, free to use) or VeraCrypt (free to use, born from the once-popular TrueCrypt project), as well as a few other encryption programs (though I only have experience in the two I mention). Both are rather easy to set up and use imo.

 

Go to Control Panel or type it in the Run box "Control Panel" and find the accounts and go to the admin/owner of which your most likely the "Owner" account and there you can set a password.

You will not see the password "enter" box until you first setup a password.

As to anyone taking you HDD/SDD out and becoming owner that a obvious truth if someone stole your laptop they could do so til we get there you or I or anyone can't stop someone that is going to take it.

 

Hi there. Went to control panel. Clicked on user accounts.

It shows my name and under it... local account and administrator.

Where is option to set a password?


There is


make changes to my acct in pc settings
change your acct name
change your acct type


manage another account
change user account control settings


On the left though... there is

manage your credentials
create a password reset disk
manager your file encryption certificates
configure advanced user profile properties
change my environment variables.

So for the hard drive/ssd etc... i have an ssd on my computer. So how does one make sure no one could access the computer files if another person has access to it?

And how hard is this process?

I want my computer to be where you have to put a password to start up the computer... otherwise someone can just turn on computer and everything is there. And of course no one can access the computer files without a password or something like that.

 

Again, to make sure no one could access the computer files if another person has access to it, you need to encrypt your drive. It's not a difficult process at all (there are guides for both Bitlocker and Veracrypt online, but it essentially boils down to following prompts from the program).

 

The topic I refered to in earlier post deleted due to some spam.
My reply in that topic was (roughly):

bios password + bios hd password, + some windows password if one wishes.

Then bitlocker (if the windows version got it). Partition hd, keep c: 'normal'. d: 'bitlocked' and put anything and everything sensible on that drive.

Be serious with passwords (remembering...). & backup \ image regularly to external media (hd, cloud).

Good luck.

 

Maybe I am just paranoid, but I have my laptop locked down pretty hard.

I have a user password set for Windows. The built in admin account is disabled.

I have a UEFI password set and the boot order set so the first boot item is the SSD. This way, to get it to boot from any other device the UEFI password must be known.

Both the SSD and SSHD are encrypted using Bitlocker.

I have Malwarebytes 3.1.6 installed and use it along with the Defender built into Windows.

While this doesnt make it impossible to get my data if someone is truly after it, it should discourage most people.

 

Okay so which is more preferred here... bitlocker or veracrypt?

Can someone tell me how long does it take to encrypt using either of these programs? I have an SSD hard drive.

Okay so i assume with either of these programs, you need to remember a password right? Thus its similar to like axcrypt when encrypting documents on computer? So with bitlocker, you need to type in a password in order to open your hard drive or ssd so to speak? Thus with bitlocker, not only do most people have a user password set for windows... after you enter that, you need to enter the ssd or hard drive password as well in order to access the computer basically?

 

So many passwords just to do a little work on the computer keeps most people from doing the password thing. Finger print may be an easier way but that also has problems with ways to bypass that too.

 

Yes a password is required and I think Bitlocker works with TPM, one of the idea is so that when the laptop is physically stolen, they cannot remove the HDD and access it, the password is required on that same machine with TPM I guess. I had a C drive with Bitlocker and lost the password, even after reformat I cannot seem to use it properly, it had to be changed. I can only assume without the password it will not match a TPM, even after reformat or something like that...........
Agree with every advice given here, it is not difficult to access your data with just a Windows password. For my set up I have a BIOS password and a Windows password but I did not encrypt the HDD with Bitlocker due to my previous experience with it. If the laptop is stolen I will rely on the BIOS password to secure it(if it is a higher end laptop will need to approach the manufacturer to re set the BIOS), as for the data I really don't have NASA's flight plans so I rely on back ups of data which I think is more relevant for normal users.

 

Bitlocker does work with TPM, though note that TPM itself is a feature not commonly found on consumer-class laptops, so it's unlikely OP even has TPM.

 

Also to consider If the security are Bios password, windows password then Bitlocker password, there will be a lag in accessing the PC. Example I have a nvme drive which is supposed to be fast but with the layers of passwords it will take the same time(or maybe longer) as a sata.

Gotta review this Bitlocker with TPM again before into production. The last time I used it was disastrous.

 

Out of interest, what did you do \ what did happen to cause a 'disaster' '? (btw, disasters are not happening (maybe minor annoyances) for anyone who have good backup plans).

Have used bitlocker for years and years on internal and external drives, laptops w\wo tpm. Steady as a rock here (but that does not put me to sleep nor makes me trust that anything will work forever, am always adhering to strict backup routines).

 

Those things are useless (anti-theft. too). With the right tools they can be easily reset (even on the latest systems) and they won't protect the data on your drive anyway, except if you use drive encryption. Same thing for a Windows password; they're only useful if you share the machine with people that can't be trusted with an admin account.

Drive encryption is really the only security measure that makes sense *. Even then; only a few password lists, banking details and the like are truly important to keep away from others, so might as well use something like VeraCrypt and secure only those files. After all, every password you have to type is a bother, so better stick to those methods that are absolutely secure and for only those bits of data where it makes sense. Not a lot of use in encrypting OS files or those of installed programs, one should think. Just remember that password manager in the browser; might want to password-protect that manager or use KeePass instead.

Also, a direct attack or theft is a remote second to ransomware (and failing drives), so either consider a good antivirus program and/or make regular read-only backups, preferably on a non-attached storage medium. You wouldn't want to wake up to a locked computer and find out your backup images have also been affected. Now, the passwords that are really important are those of your email accounts; having access to those means anywhere you've registered using that email account can be taken over with a simple 'forgot password' click. Knowing the Yahoo database has been compromised for a year or so before the general public became aware of it; good idea to use different, hard-to-crack passwords for those and change them once in a while. Or run your own email server, if you like.

If the hardware is important (due to modding or something) and there's some spare room left inside then embedding a GPS tracker might be useful. Those for-car models can also remotely cut power using a relay, so interposing that between the battery and DC connector would mean you can remotely 'kill' the laptop. Most will consider it dead then and if you make it look not so much diy but more 'believably original' then even someone experienced with opening laptops may be fooled. Still won't protect that hard drive, of course.

*) Perhaps not using something that relies on TPM though; some people have had a small bios hiccup or corruption trigger a lockdown and no way to access their data. Don't know whether writing back a BitLocker encrypted image to a reflashed system might resolve that, but if it doesn't ...

 

Well when I tried to Bitlocker my C drive it has TPM. And my fault I got mixed up on the password. Therefore I had to reformat and restore from disk image. However the drive even after reformat does not work properly bsod and in the end I had to replace the drive. It was an m2 nvme 512gb drive. I guess it's the TPM but can't be sure until today.

I think you totally hit the right spots !!! It's those passwords that I'm concerned on and they are all in C. I'm outside now & can't elaborate much but you read my mind.

 

Yes the bios pw is just a basic against some tampering, not security.

The important bit in "bios password + bios hd password" was about the hd, no known instances of that ever being compromised (afaik) in products from HP, Lenovo, Dell etc.

 

agree, learned something here, those banking, emails, etc passwords are what i think i would like to secure. For the data i do have a lot but i don't think they will be valuable, i have loads of back up on data so it is not a real concern when it is stolen.

OK I think it is encouraged to have Bitlocker and this is what I ran into today. I have upgraded to Creators windows 10 and in the TPM console I cannot see the TPM management anymore, the error is 'cannot load management console, exception hresult 0x80090030'. I was thinking had I Bitlocked with TPM of my C drive I would have locked myself out from my laptop. This is what I meant by disastrous, this is for both the Dell Precisions.
Perhaps should post this at the Precision forum and see if anyone is having this issue.

 

^^^ Sorry for your problems, and cannot provide any useful info for your particular setup.

Am only providing basic info what works here, what I experience is a good routine for my situation \ laptops. May give someone som useful hints or ideas to adapt.

Example from Dell 7440:

- Bios hd (ssd) password. Not encryption, but AFAIK one would need to remove the platters from the hd and place them into another hd body to try to read content. About ssd, probably de-solder the memory chips or something like that lol (don't know). Anyway, not work for the average thieve, and a first line of defense.

- Disk 1 (a 250 msata) partitioned into C & D. The bitlocked D is where everything sensible\personal\important goes. See attachment.

- In addition, some specific files encrypted (axcrypt) and saved on bitlocker partition. That should give anyone trying anything some real headaches :O)

The whole thing (reflect images + individual folders) regularly backed up to cloud + external hd (bitlocked), that's the remedy against eventual loss, theft, virus, hardware failure, ransomware, personal error etc.

Using decent passwords (a dozen+ characters) easy to remember but very difficult to guess + written copy hidden "in the attic" just in case age and chemicals takes away (more of) memory :O)

Good luck.

 

I understand the concept of encrypting only the files that are sensitive and important, but I just encrypt everything. Never had an issue with my current machine. Been through a BIOS update, multiple OS updates, never had any issues show up. Bitlocker doesnt seem to effect performance at all and in my opinion, it just makes it easier. Encrypting individual files requires doing it manually, and if one of those files is updated, it requires remembering to encrypt the file once again after its modified. With Bitlocker, encryption happens transparently. The biggest thing is making sure the Bitlocker keys are backed up in case of an issue.

 

Yes, did exactly that on a 'dead' ssd. Worked nicely to recover the data, but if it had been encrypted with an unknown password it'd been a different story.

Also recovered data from spinnies that had defective controller boards. However, that needs transplanting the firmware chip as well, so would guess that also takes the hd password along with it (unless that's a bios option?). Yet, that wouldn't be hard to tackle. Just read out stock fw, set password, read again and do a hex compare. Then read the target drive's fw, set the same location to all FF and write back.

So if drive passwords work without encrypting the data itself then these provide token security only.

The rest of your security+backup schedule looks great though, very nice .

 

hey no problem, lots of insight reading your posts. )
I am contacting Windows for support, I have Assure(subscription for Windows remote access) but they are saying this is Pro support level in which I have to pay GBP99 for this !?
Anyone here have any suggestions is greatly appreciated

 

Hey all. So just to confirm if i install bitlocker on my computer, that means at startup, i would have to know the password right? Thus if a hacker or someone who gets access to my computer were to get the computer, there is no way they could turn on my computer without the password? Because if that is true, then i will be using bitlocker.

 

Yes, you still need the Windows password. If they take your drive out and try to access it from a different computer, they will need your Bitlocker password.

 

Hi there. So this bitlocker basically protects your computer no matter what then right assuming the computer is turned off?


Also how long does it take to do this? Basically i just want to make sure its locked with a password and that is all. However you still need to do a backup in case? Such as if someone happens to your computer?


Also does that mean the windows 10 password option at startup is basically useless then? Thus if you put that password, that doesn't do anything because there are ways to reset it or something and then get in the computer?

 

Yes. Encrypted stuff can't be viewed unless the person knows how to unlock it.

Depends on how much data you're encrypting and how powerful your computer is (specially, your CPU).

You should always make backups of your data, encryption or not. Period.

As far as retrieving data, yes. If a person can't log into your computer because they don't know your Windows password, they can (assuming no encryption) just stick your drive into their computer and browse your files as if it were a flash drive.

 

HI there. When you say how much data you are encrypting do you mean how big my hard drive is and how much gb i used up on my computer? Because if im encrypting it, im encrypting the entire computer right? For example i have a 250gb ssd hard drive but it only shows 232gb free. If im using say about 132gb and 100gb is free, how long would that take about? Or if you are using 100gb, how long for every 100gb? My cpu is i5 6300 hq quad core.laptop. It has 8gb ram and has an ssd.

How long does it take to make backup of my computer?

Okay so if i put just the windows 10 password and don't do the bitlocker, they can put my hard drive into their own computer and view the drive. But they cannot do anything to the files... is that correct? Because if that is the case, isn't that still pretty good? Or could some very smart hackers find a way to do it?

 

1) I don’t know. Your CPU also factors into how long it will take. Just as a guess, I’d say a it will take a few hours to fully encrypt a drive.

2) Depends on what your backup is. If you’re backing up to an external hard drive, it’ll be as fast as whatever USB port you’re using or how fast the drive itself is (whichever is slower). If you’re doing an online backup, it’s likely to be however fast your upload speeds are or what the rate limit is on the online backup service you’re using (whichever is slower), but will very likely be slower than an external backup.

As a side note, if you’re going to do a backup, do it correctly. Use a 3-2-1 plan ( https://www.backblaze.com/blog/the-3-2-1-backup-strategy/) or better and be sure to test your backups. Otherwise, you don’t really have a backup.

3) No, simply having a Windows account password wont prevent that. If someone has physical access to your drive and plugs it into their computer, they can do whatever they want with your unencrypted data. They can read the files, copy the files to their computer, they can edit the files, they can delete your files, they can add new files to your drive, etc.

 

Since bitlocker is using aes it should be reasonably fast. Even with a 256-bit key. I doubt it will take more than half an hour for 500gb (never tested it though).

EDIT: nvm it has to be really fast since you encrypt basucally your entire hard drive on shut down. So it is pretty fast

 

Hey all i have a few questions about laptop security, ESP. after having my sager/clevo and a spectre stolen...

1)is there a hardware dongle that authenticates me at the BIOS lvl? ie, the mother software writes to BIOS a PGP code that only the dongle can unlock (buy 2)
2)HP is packageing a "Lost my laptop-esque" software suite that will locate it so you can call the police...i don't know how or what even the name of this is...it looked funky as in...WTF?! they should have already changed out the SSD by now!!! I AM DISSAPOINT!

 

1) Maybe you're thinking of two-factor authentication with a hardware dongle as the second half of that. It's certainly an option to consider
2) You're thinking of LoJack. And if you're thinking that your laptop can get stolen, you should be encrypting your SSD anyway (so them stealing it isn't a concern).

 

Thanks! What does LoJack do exactly?

 

https://en.m.wikipedia.org/wiki/LoJack_for_Laptops

 

@Drew1

 

Agreed.

The original subject and discussion has been plowed under sixteen feet, so I've moved all those 16 pages of, basically, BitLocker questions to a new thread:
BitLocker questions

@Drew1 ,
Would think every possible question relating to the subject has been answered already, but if you have any further questions then please use the new thread.

LoJack is utterly useless, imho.

I've 'recovered' systems that had LJ triggered accidentally with your run-of-the-mill hardware tools (which we shall not further discuss, per the rules). Safe to say; laptop and data all working happily again. It will give you not even a modicum of protection, so think of it as being in the same league as the Windows password.

 

What was the one workaround for a "forgotten" Windows 7 log-on password? Utilman, something like that? It was comically easy to crack a simple Win7 Admin/User pass (not BIOS).