Computer whizzes - circumventing a windows password

[Stand_watie]

How easy is it to do without it being obvious - I mean for a normal person, not a hacker type. I'm sharing a house with someone I don't want to have access to my computer files, so I put a password on the computer.

[caseydog]

Win XP or 2000? , security in any other windows is a bad joke.

[Vodka7]

Anyone with physical access to the machine and enough time can get any files they want that aren't encrypted.

For a regular person?  Depends on how much they know and how bad they want to see what you're hiding.  A windows NT/XP/2K password is good enough, just make sure you have the folders your files are in set up so that other user accounts can't read them (can't remember what it's called.)

If you really want to be safe, get something some encryption.  For encrypting files on a file-by-file basis, PGP is excellent and has a free version.  This method can be terribly slow (for instance, if you want to encrypt an entire folder of, oh, say, honeymoon pictures--every time you want to look at them, you have to decrypt all of them.)  But, it's also the most efficient in terms of disk usage, and has a Zip algorothim built in.  Most files you encrypt will actually go down in size.  PGP was also designed with communication in mind--it uses a private/public key method.  Let's say you want to send those pictures to your wife--she can send you her public key, and you can encrypt them so that only you and her (or just her) can open them.  She uses her own private key and password to open them, which means you don't ever need to share passwords to share a file.

Programs like TrueCrypt (free and open source) create a big container file that you can hide everything else in.  The problem with this is, you have to kind of guess how much space you're going to need, and you can't add space later.  So once you fill it up, you have to make another container.  Containers are also "mounted" once decrypted, meaning instead of using them like a zip file, you go to my computer and use a virtual hard drive.

[jefnvk]

Probably near impossible for the average person (I assume you are talking about the login, ahve no idea on built-in encryption).  Just don't leave your computer logged in under your name.  We had a problem a while ago back at college where a kid figured out how to change passwords on anyone logged in with a administrator level password.  Screwed with some of us, luckily I had the password to the actual 'Administrator' account, as I built my comp and did my own install.  The ones with the OEM comps, some had to reinstall.  He didn't ahve frioends for a few weeks (for a very social necessary type person, that hurted him alot).

[Stand_watie]

Yeah, I meant that first login screen when you start-up. It's a brand new computer so I assume XP(?) It didn't have the login at first, but I went to one of the settings and changed it to password protect and now every time I start up the computer it brings up "owner" and a password blank.

[Vodka7]

Well, they won't guess or crack your password if that's what you're worried about.

That said, anyone with access to the physical machine and a boot CD can do anything they want.

You could disable boot from floppy and boot from CD and then password your BIOS.  That'd stop all but the most determined.

[Azrael256]

Unbelieveably easy

We use that one about every other week at work.  You might consider two-factor authentication.  Fingerprint scanners, smartcard setups, and other physical keys are actually really cheap.  I can actually crack your password without your knowledge if I have physical access.  L0phtcrack can be obtained in a less than legal fashion, and it will crack the password without resetting it.

Do NOT NOT NOT NOT NOT rely on Windows' encrypted filesystem in this situation.  Toasting the password with that CD tool will fry the EFS key.  It takes forever to crack.  BIOS passwords are also unreliable.  Anyone with a passing acquaintance with motherboard hardware will know how to reset it.  Give me the model of any commercially available motherboard, and I'll tell you how to reset the BIOS in two minutes.  Everybody knows somebody who knows how to do this stuff.

If it's XP Home, which it probably is, just forget everything I've told you.  You don't even need external tools to break in.  Here's the problem:  That "Owner" account is actually not the administrator account.  It is a user account with administrative access.  While you're logging on with your "Owner" account, I'm going to boot with that CD, change the "Administrator" account password, and mark it active.  Now all I have to do is log on.  That's the clever way.  Try booting into safe mode and you'll encounter the easy (albeit detectable) way.

We do this about twice a month at work.  Some freshman forgets his laptop's password, or mistypes it while he's changing it.  They sign the waiver, and I break into the machine.  They are usually horrified at how quickly and easily it is done.

If you have sensitive information, PGP encrypt it and carry it, and your key around on a flash drive.  This sort of thing was the first five minutes of my NT Security class.  If you want it secure, the first thing to do is lock the door.

[lee n. field]

How paranoid do you want to be?

How easy is it to do without it being obvious - I mean for a normal person, not a hacker type. I'm sharing a house with someone I don't want to have access to my computer files, so I put a password on the computer.

Depends on what you mean by "normal person, not hacker type".  I work with this stuff all the time, and what seems trivial and obvious to me wouldn't be to those not in the business.

Out of the box XP Home -- pretty easy, as the Administrator user is probably not passworded.  Boot safe mode, log in as administrator.  See everything.  Take ownership of files and reset permissions if necessary.

Even well passworded boxes can be cracked, with the right tools (I'm familiar with Winternals Locksmith), but that's obvious, because the password is then changed.

I don't consider it heavy hacking to pull a hard disk and hook it temporarily as a second to a different machine.  Depends on if Joe User is a s good as he thinks he is.

You want secure:  get a laptop, take it with you.  

Or get a Linux box or a Mac running OSX, turn off automatic login, set real and non-obvious passwords.

[yci]

Setting a password in the BIOS could be another small step since it won't let you boot to the OS until you enter it during the POST.  Unless, of course, you plan to keep the system up and running all the time, then this wouldn't necessarily help.

Having the system prompt for a password when it first powers on can certainly throw folks for a loop since we're not used to seeing that all the time.

Not a perfect solution, but just a thought.

[jefnvk]

OK, some good ideas up there.  I guess it depends on how good the guy is.

If it were me, and worried that he may be going far enough to do one of the following, I'd probably ask him to leave.

lee mentioned pulling the HD, if you have the lock thing on the back of the computer, you may think about putting a padlock on there.

[Chris]

"Setting a password in the BIOS..."

My first thought; although my machines don't have wide access, they ALL have boot passwords. It's a little step, but probably the first one.

[Stand_watie]

Setting a password in the BIOS could be another small step since it won't let you boot to the OS until you enter it during the POST.  Unless, of course, you plan to keep the system up and running all the time, then this wouldn't necessarily help.

Ok, how do I go about that?

[jefnvk]

You have to figure out how to get into the BISO on startup.  This will involve pressing a certain key while the computer is doing its system check (memory stuff, recognizingg drives, etc.)  If it is a commercially built (you didn't piece it together yourself) comp, there may be a logo screen instead of this info.

The trick is to find the key that gets you into that screen.  On my computer, it is DEL.  I also have seen F1 and F10.  Those seeem to be the common three, although it wouldn't suprise me if HP or Dell went and made it a different key so people couldn't get in as easy.

That'll bring up a menu, and then you just have to find where the option is then.

[Stand_watie]

Guys, he's talking about a normal person. I think he just doesn't want this person sitting down and going through his PC. I doubt this person would be taking the time to pull a drive and go through it, or make any real effort.

Yes, and it's alright if this normal person gets into my computer if they leave a trail behind them, because the consequences for them in court will be more in my favor than any info they get off the puter will be in their favor.

[jefnvk]

In that case, I do believe there is a way to log log ons.  Just put the password on it, and look at the log every now and then.  If there is one that doesn't appear to be yours, there is your proof.

[Vodka7]

I thought you were worried about someone accidentally stumbling across something embarassing, but now it sounds like you actually have a real need for protection.  I'm going to, again, seriously recommend you try out some encryption software.

http://www.pgp.com/downloads/desktoptrial.html

Ignore all the 30 days junk.  They're trying to scare you into buying the software by warning you what you'll lose after the free 30 day trial of the pro features.  You have "perpetual use of the limited functionality solely for personal, non-commercial use."  Everything you'll need.

http://truecrypt.sourceforge.net/

[thorn]

HOLY EASY!!

turn on computer.
open DOS prompt.
navigate DIRs to passwd file.
BUSTed Wide Open

if person can turn machine on or off, he can get to DOS.

bios passwd wont stop someone form using a WIN startup disk to access DOS mode.

also can get to passwds thru regedit i think

[lee n. field]

if person can turn machine on or off, he can get to DOS.

With W95, w98 or winME.  Not with Win2K or WinXP.  Even booting "safe mode command prompt" will get you to a logon prompt.  Even booting the Recovery Console will get you to a logon prompt.  The trick is actually setting a password.

bios passwd wont stop someone form using a WIN startup disk to access DOS mode.

A power on password will.

[spacemanspiff]

dude just let your buddy check out your porn! its no big deal!

hehehe

[Risasi]

Lee,

Then you better have a padlock on your computer case. It takes me all of five seconds to pop a caselid and yank the CMOS battery. This effectively resets the password.

Azrael pointed out the Linux Util to reset NT Kernal passwords. It works great, been using it for years. It is also possible to crack a Unix or Linux system too, but you have to reload the machine. Your best bet is to have a removable hard drive.

[Control Group]

You have to decide who you're defending against.

If you don't want Aunt Tilly to find out what you're getting her for Christmas, a login password for XP will be plenty as long as you win+L whenever you leave the machine and it's running. This will work forever.

If you don't want your competent-but-not-a-computer-person roomie reading your email, make sure you also set the Admin password. This will work until the person bumps him/her self up to the next level.

If you don't want Joe Computer Geek finding your stash of midget porn, encrypt the hard drive (or at least the sensitive portions). Physical access to a PC will always mean access to the PC's files; it's just a question of how much time and effort it takes. Any decent encryption will work essentially indefinitely. A decent alternative is using removable storage only, and keeping it with you. This will work until you forget to remove it from the PC.

If you don't want the feds finding your plans for world domination, you're hosed. Removable storage only,  symmetrical encryption with a 4096-bit key that isn't recorded on any physical medium, anywhere. This will work until they beat the key out of you.

Most people fall into category two or three.

[Stand_watie]

If you don't want your competent-but-not-a-computer-person roomie reading your email, make sure you also set the Admin password. This will work until the person bumps him/her self up to the next level.

That's the one right there. And as I mentioned before, if the roomie (my wife) leaves an obvious trail it would be worth the loss of info (strategy with my lawyer) to have the judge ticked off at her for violating his restraining order. She doesn't have a login id on it at all right now, unless she's already done some of this techno-weenie stuff:)

[lee n. field]

if the roomie (my wife) leaves an obvious trail it would be worth the loss of info (strategy with my lawyer) to have the judge ticked off at her for violating his restraining order. She doesn't have a login id on it at all right now, unless she's already done some of this techno-weenie stuff:)

Wait wait wait -- the individual in question is your wife?  She's under a judge's restraining order, but she still lives with you?  

This sounds more than a bit strange to me.

[jefnvk]

This sounds more than a bit strange to me.

You are not alone.

Since this is also dealing with court cases, may I suggest  simply removing all physical access?  Locking the computer in a safe when you are not using, or something of the sort?

[Azrael256]

some of this techno-weenie stuff

I'm a network engineer, thank you.  Let's go shooting, and then call me a weenie

But seriously, I know this is stressful, so if you're coming to Dallas and want to blow off some steam, let me know.  My brother and I are itching to get some (in his words) "trigger time."