Why do we lock our computers?

Question

It's common knowledge that if somebody has physical access to your machine they can do whatever they want with it¹.

So why do we always lock our computers? If somebody has physical access to my computer, it doesn't really matter if it's locked or not. They can either boot a live CD and reset my password or read my files (if it's not encrypted), or perform a cold boot attack to get my encryption keys from memory (if it is encrypted).

What's the point of locking a computer besides keeping the average coworker from messing with your stuff? Does it provide any real security benefit, or is it just a convenience to deter untrained people?

---

^{1. unless the computer has been off for a while and you're using full-disk encryption}

Answer 1

In some places they have a saying: "opportunity makes the thief". All you're doing by screen-locking a computer is making the cost of hacking it just a little bit harder.

Security is an economic good, with a price and a value. The value of locking is somewhat larger than the price of locking it. Sort of like how in good neighborhoods, you don't need to lock your front door. In most neighborhoods, you do lock your front door, but anyone with a hammer, a large rock or a brick could get in through the windows. In some neighborhoods, not only do you lock the door, you have a solid-core door with a deadbolt, and you have steel gratings over the windows. In the best neighborhoods, the value of the steel gratings isn't worth the price, but in bad neighborhoods, the value does exceed the price.

Answer 2

It's a risk management thing, really. An attacker with a short window of opportunity (e.g. whilst you're out getting coffee) must be prevented at minimum cost to you as a user, in such a way that makes it non-trivial to bypass under tight time constraints.

Hitting WinKey+L or clicking the lock button is next-to-zero cost for you as a user. Taking the time to reboot the machine, load up a live CD and extract the data (e.g. documents, SAM database, etc.) is not a short process - it's at least a 10 minute job and the reboot alerts you to a potential problem. The cost for the attacker is significantly greater than the cost for the user.

It's also a great way to prevent the casual attacker - e.g. the journalist you leave in your office for 5 minutes whilst you take a work call. If they see your computer unlocked, with all its data immediately available, they may take the opportunity. If they see that it's locked, they won't bother. 99% of visitors do not come equipped with data exfiltration equipment!

Answer 3

Locking your computer prevents surreptitious snooping or alteration. If you don't lock, it is easy for someone to poke around inside your session in such a way that you will not notice it when you return to your machine.

The security benefit is real because there is a class of attacker who wants access without leaving any trace whatsoever. For that class of attacker, rebooting your machine and messing with your password are not options, unless that attacker is confident that he or she can restore your computer to very closely resemble the state in which you left it.

It is one thing for security to be compromised, and another for it to be compromised without a trace.

There is an analogy there with physical security. If you don't lock your doors and windows, then a thief can enter your house without leaving any trace of entry. The thief can steal something such that you do not even notice that it's missing until much later, perhaps months, if not years. One day it occurs to you, "Don't I own such and such a thing? Now where is it?" then waste time looking for something that, unbeknownst to you, was stolen long ago. Insurance people call this situation "mysterious disappearance".

If a thief does enter, it is better if there is evidence of forced entry.

Answer 4

"What's the point of locking a computer besides keeping the average coworker from messing with your stuff?"

By protecting your self from average coworker you've protected your self from largest subset of people who'd want to find something personal about you or do you harm.

Answer 5

In most environments where it is necessary to lock your computer, what you are protecting isn't on your computer, but on networked computers which you have access to through your credentials. So a quick boot using a CD doesn't directly give the attacker anything useful, it is just a single step. While you are right that ultimately this isn't a barrier to a determinined attacker, it is a barrier to a an opportunistic hacker.

Think of a bank teller computer -- if you are making a deposit and they were to walk away at the point of confirming your deposit amount it would be easy to go ahead and complete the transaction with 10,000 instead of 10 dollars. If the computer is locked, even after they reboot, they won't have the same access.

Answer 6

In addition to all the other answers, think about skill. If I come across an unattended, unlocked laptop, it takes no particular skill to send an email from that computer to the Company President; that email can range from prank to criminal activity. The other attacks you describe require a bit more skill.

Reinforcing what others have said, security is risk management. We need to compare work factor to deploy the control to the impact it has on the adversary's work factor. Locking the computer is very low work factor, but forces the attacker into an attack script that requires more time and skill.

Answer 7

1. It takes time to boot to a live CD
2. Modifying the hardware will attract attention whilst simply using someone else's PC won't
3. More people will attempt to use an unlocked PC then a locked one in the same way you're more likely to have your bike stolen without a bike lock than with an unlocked bike lock on it.

Answer 8

Security is not only about the document located on your computer. Without a proper authentication to the company, someone having access to your machine should not have access to your emails (unless stored locally) and can't access network resources with your name.

When we say that having physical access is like losing this machine, it also implies that the attacker have time to act. If the attacker does not have time, he can't possibly boot an offline password breaker to change your password, access your data and getting what he wants. Furthermore, the process is destructive and alarm will be given as soon as you find your account has been accessed.

An other scenario would be if the attacker want to get something that is not stored on the computer, for example your password for a given application (corporate or private). Physically breaking in is not an option, as he wants to remain stealth. Howerver, if you provide the attacker with a sufficient window of time to install a keylogger.

In term of risk, it is also more probable that someone will attack your unlocked session, rather to steal or break physically your machine. Thus, it is a good measure to lock your session whenever you leave your office/desk.

Answer 9

You can't ever make something completely secure and still make it accessible. Therefore, you can't ever prevent anyone from gaining access to your computer system. All you can do is make it harder for them to gain access. And in the case of locking your screen, a simple two-second stroke of the fingers can bring great inconvenience to someone wanting access. You effectively, exponentially increase the skill, cleverness, and knowledge required to gain that access.

Answer 10

I'm no security expert by any stretch - but this really just seems like common sense. The average criminal isn't an Eastern-bloc spy; they just want to pick the low-hanging fruit from a tree in someone else's yard. If you lock it up, you push the fruit to a higher branch.

Answer 11

Locking the workstation impedes anyone's attempt to accidentally peek into your documents, email or pictures. There is a difference between locking and making something hackproof!

Answer 12

Another commonly omitted aspect of locking your computer is dismissing others from liability. The principle is similar to why you avoid leaving your password written on a piece of paper on your desk. By not doing that you're not only protecting your privacy but you are also protecting others from getting accused of knowing it. Because you reduce the probability of that happening significantly.

Their intent doesn't have to be malicious either. Someone's computer might be broken and yours could be the only computer unlocked, so he could assume that as "available" and do his work on your machine and accidentally destroy all your work. Locking your computer saves them from the responsibility.

Of course a computer can be breached even when locked by advanced users similar to how someone can guess your password by just trying your cat's name. By locking your computer, however, you change the odds in both your and your colleagues'/roommates' favor.

Answer 13

Usually other people in your office are annoying gits - it doesn't always matter about security, it may just be something annoying - changing a wallpaper or similar!

... just see this for ideas - https://superuser.com/questions/275894/how-to-mess-up-a-pc-running-windows-7