Is a password-protected stolen laptop safe?

Question

Let's assume I have a Windows 10 computer and my login password has an entropy of infinity.

If I did not encrypt my entire hard-drive, does it matter how secure my password is? Is it possible for someone to plug the hard-drive into another computer as an external drive and simply read all its contents?

Thanks

It's absolutely not safe. Even if the hard-disk was formatted it would be possible to recover the deleted files. — Adamantios Marios Berzovitis, Dec 11 '20 at 23:26
@AdamantiosMariosBerzovitis Please don't answer in comments. Thanks! — Asteroids With Wings, Dec 12 '20 at 16:59
@AdamantiosMariosBerzovitis That depends; after a full format (overwriting every sector), recovery is impossible in any reasonable practical sense. After a quick format (only rewriting the partition table), sure. — marcelm, Dec 12 '20 at 17:42
Just to mention: no, they don't even need to plug the hard drive into another computer. They can but they don't need to. They only need to start the computer with an USB that has a password clearing utility on it and they can remove your password in a few seconds. That probably shows how secure your password protection is :-) — Gábor, Dec 14 '20 at 12:06
@marcelm: very far from it. Data recovery specialists do it all the time. There are even easily and cheaply available programs that do it for you. If you want to be perfectly sure, you need several passes with appropriately structured data. There are safe erasure programs that do that, but the process is rather slow, of course. The requirements have been decreased in the latest decade or so, older HDD technologies required 5 and 7 and even more passes to be sure, today it seems to be less than that but still, one pass erasure doesn't mean impossibility. — Gábor, Dec 14 '20 at 12:17
@Gábor Can you provide a credible source for that claim? As far as I know, it's simply not true; see for example [Overwriting Hard Drive Data: The Great Wiping Controversy by Wright, Kleiman, and Sundhar](https://link.springer.com/chapter/10.1007%2F978-3-540-89862-7_21). That paper concludes that even using an magnetic force microscope, recovering data from a 1GB drive (so much larger bits than current drives) is not feasible. I sincerely doubt it is possible at all, never mind using "easily and cheaply available programs". — marcelm, Dec 14 '20 at 15:39
Granted, the need for more than one pass has greatly reduced during the decades, as I mentioned. Still, just take a look at various countries' military standards of safe erasure. It keeps dropping but still is above one pass for most. — Gábor, Dec 14 '20 at 17:04
@Gábor - the standards as written say that, but it has been impossible for many years now. Standards tend to be conservative and lagging. — Rory Alsop, Dec 15 '20 at 08:38

score 62 · Accepted Answer · edited Dec 17 '20 at 00:14

62

Is a password-protected stolen laptop safe?

No.

The immutable laws of security say:

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

It doesn't matter if your laptop is password-protected or not. As long as the disk is not encrypted by a state-of-the-art encryption algorithm, anyone can access your data.

If I did not encrypt my entire hard-drive, does it matter how secure my password is?

No. Your data are safe if, and only if, the data are well encrypted. Password protection of an OS usually does not encrypt the disk (except on iOS, as far as i know). Consider using BitLocker (on Windows), FileVault (on macOS), or LUKS (on Linux).

Is it possible for someone to plug the hard-drive into another computer as an external drive and simply read all its contents?

Yes, someone will do exactly this.

edited Dec 17 '20 at 00:14

Whymarrh

312
3
17

answered Dec 11 '20 at 23:40

anion

1,013
8
10

41

'Is it possible for someone to plug the hard-drive into another computer as an external drive and simply read all its contents?' - or even simpler, boot the laptop from a live usb iso, and proceed to read the contents of the drive. – mti2935 Dec 12 '20 at 03:10
7

@mti2935 That makes some assumptions about the UEFI security - specifically, that the firmware allows booting from removable media, or at least allows changing settings without a password - but on most machines one or both of those are true, and even if they aren't it's usually only a little more complicated to bypass. – CBHacking Dec 12 '20 at 09:42
3

I believe most modern Android implementations also encrypt the contents if you set a passcode. – SomeoneSomewhereSupportsMonica Dec 12 '20 at 11:27
1

_"As long as the disk is not encrypted by a state-of-the-art encryption algorithm"_ - Why does the encryption algorithm need to be state of the art [the most recent stage in the development of a product, incorporating the newest technology, ideas, and features]? – marcelm Dec 12 '20 at 17:44
1

Re: "'[...] does it matter how secure my password is?' No. Your data are safe if, and only if, the data are well encrypted": This isn't true; if the data are well encrypted, but the password is weak, then the data aren't safe. (I'm sure you realize this, but got tripped up in the wording somehow.) – ruakh Dec 12 '20 at 18:35
"*Password protection of an OS usually does not encrypt the disk (except on iOS, as far as I know)*" It's worth noting that most Linux distros have the option, and there are several (e.g. Pop!_OS) where this is enabled by default. – The Daleks Dec 12 '20 at 18:36
20

"Yes, someone will do exactly this." -- I'm not at all sure a single stolen laptop _will_ have that fate. I would find it far more likely that it would end up forgotten in some storage for lost items (if the finder is honest), or reinstalled and sold as used to some new unsuspecting user (if the finder is dishonest). That still doesn't make the data safe, though. – ilkkachu Dec 12 '20 at 20:54
2

Macs will also more-or-less [default to disk encryption on](https://www.jamf.com/jamf-nation/discussions/21900/filevault-enablement-dialog-in-setup-assistant-on-10-12-1) (there's a checkbox in the setup wizard, but it's checked by default), so that's another place where password protection of the OS is likely to enable disk encryption unless the feature is disabled. The OP here is using Windows though, but many Windows manufacturers also ship BitLocker on by default now. – Zach Lipton Dec 13 '20 at 05:18
1

Just FYI: Modern Android *always* encrypts the `/data` partition, and a screen lock password in turn encrypts the key. If you don't have the screen lock password, you have no access to the user data. – iBug Dec 13 '20 at 06:40
2

@ilkkachu - Agreed. The equipment required to harvest the data from a laptop drive is inexpensive but not free and the expertise needed to format a laptop is lower than that needed to extract data from the drive. Since most laptops are stolen opportunistically and ultimately end up being resold, it's more likely than not that your data *won't* be accessed. – Richard Dec 13 '20 at 10:10
@ruakh My interpretation is that if the key (or password, or whatever) is weak, then the data is not *well* encrypted. – Brian Drake Dec 13 '20 at 11:52
@Richard, getting the data out isn't that hard, but what to do with it then is also a question. A normal person isn't going to have very valuable trade secrets, and laptops of companies that do have such a _hopefully_ usually encrypted. I guess one chance is finding dirt on the previous owner and going for blackmail if you're into that, but it's probably more work to do without getting caught than just selling the damn machine. – ilkkachu Dec 13 '20 at 13:39
3

@ilkkachu - I would expect that the most likely reason to snoop is prurience. – Richard Dec 13 '20 at 13:58
@marcelm - I think that "state of the art" in this case doesn't necessarily mean "latest and greatest". As I understand, in cryptography RSA and AES are also considered "state of the art" because they're universal, well known and understood, well tested, ubiquitous, and without any known flaws. In this case "state of the art" might mean more like "all libraries up to date and all security patches applied". – Vilx- Dec 14 '20 at 10:39
"Yes, someone will do exactly this.". I'd add a caveat, that the the hacker wouldn't be able "to read all contents", just the majority. IRC, some stuff will still be encrypted (like browser passwords), but that's a weak remedy if you really care about security. – Dan M. Dec 14 '20 at 15:24
Just a note that, most android phone (I'm using google pixel), also has full disk encryption by default. – recolic Dec 15 '20 at 06:38

Tasos Papastylianou · Answer 2 · 2020-12-12T12:50:42.947

21

Just to add a very simple answer here, I regularly boot a linux live cd/usb on friends' computers who have done something weird and need to recover files, and simply copy them over to an external harddisk. This is standard procedure, nothing 'hacky' about it.

So no, if someone was left alone with your computer, a windows password is trivial protection against accessing files on the computer. All they'd have to do is carry a linux usb with them and boot from it¹; the whole process would take, like, 1 minute.

^{1. assuming the typical non-technical-user scenario where no further protections (e.g. a bios password) are in place}

edited Dec 12 '20 at 12:50

answered Dec 12 '20 at 12:36

Tasos Papastylianou

311
1
5

2

I've done this to retrieve my roommate's software engineering project from a laptop after the hard drive malfunctioned and some OS files got corrupted. No password was required. (Thankfully for my roommate, the project files were not corrupted.) – Andrew Ray Dec 14 '20 at 20:02
2

I just wanted to add that even some BIOS passwords aren't safe- it turns out there are online code generators that you supply the 'error message', it supplies you BIOS passwords. Guess how I learned that? – J.Hirsch Dec 14 '20 at 22:20
1

@J.Hirsch I wanna know. How? – Hashim Aziz Dec 14 '20 at 23:33
1

Just pick the harddisk, and plug it into another computer by USB. BIOS password does nothing in this situation. – recolic Dec 15 '20 at 06:40

score 12 · Answer 3 · answered Dec 12 '20 at 10:04

As anion's answer points out, the data on your hard disk is generally not safe under the system you described. However, Windows does offer several encryption methods beyond just BitLocker, and they might be helping you out already.

Encrypting File System (EFS) is a way to transparently encrypt file contents (though not the metadata, like file names or sizes) such that they can only be decrypted by authorized Windows users. Assuming the files hadn't been shared with any other users on the same machine (or domain) whose passwords were crackable, the contents of those files would be safe. However, EFS is only available on the higher Windows editions (Pro, Enterprise, Server, etc.). Additionally, it is rarely used unless the user manually enables it (software can enable it but very rarely does so).
Data Protection API (DPAPI) is a way to encrypt arbitrary blobs of data (which can then be written to a file, registry key, database, etc.) so that they can only be decrypted by either the user who encrypted them, or by any user on the machine that encrypted them (typically, the user-specific form is used). DPAPI is available on all editions of Windows, and - possibly for that reason - is reasonably commonly used by software that wants to store sensitive data. For example, Chrome encrypts your site data (cookies, passwords, etc.) using DPAPI. Windows itself also uses DPAPI for some data, including the built-in password storage (used in Edge and IE) and to protect private keys in the certificate manager (even if you don't explicitly put passwords on those keys).

Both DPAPI and EFS use encryption keys protected by the user's password. This means that an attacker can't learn those encryption keys without breaking the password. Normally breaking Windows passwords is relatively easy - the hashing function used is decades out of date and not even used in a very secure way - but a sufficiently long and random password is still de facto uncrackable. Similarly, the encryption algorithms used with DPAPI and EFS aren't the latest, but they're secure enough that it would be very surprising if even the NSA could break them (either by cryptanalysis or by brute-forcing the key).

Note that it's quite easy, if you have access to a computer's unencrypted hard drive, to overwrite any user's password. However, if you do this, it becomes impossible to ever recover either the DPAPI or EFS keys, so any data protected using either feature is lost forever (unless the keys and/or data were backed up elsewhere).

So... you're still in major trouble. All your unencrypted files (pictures, documents, any local emails or chat logs or whatever) will be exposed. However, the attacker will probably not be able to see passwords that Windows or Chrome (or some other browsers) were storing for you, or use your saved browser cookies, so you're more likely to be safe against an attacker compromising your online accounts. Some especially security-conscious desktop software might also have protected its files, especially if your Windows edition supported EFS.

Brian Drake · Answer 4 · 2020-12-14T00:21:45.173

Is it possible for someone to plug the hard-drive into another computer as an external drive and simply read all its contents?

Yes.

It is irrelevant what operating system (or lack of) was installed on that drive. It is irrelevant what passwords (or lack of) were used. It is even irrelevant whether the drive is encrypted – although that may determine whether its contents are of any use to anyone else (see clarification below).

This question is full of distractions, which might be why you couldn’t answer it yourself, even though the answer should be blindingly obvious.

Clarification about encryption: Encryption simply means replacing the data you want to keep safe (the “plaintext”) with a different set of data (the “ciphertext”), where a person looking at the ciphertext cannot easily tell what the plaintext is.

It looks like the term “contents” is ambiguous here: it could refer to the plaintext or the ciphertext. But from your wording (“If I did not encrypt my entire hard-drive”), I assume you are referring to encryption implemented in software running on the CPU, not the drive itself. In this case, if the drive is encrypted, then the drive never sees the plaintext, so I would say that the drive’s contents are ciphertext.

With this interpretation, it is correct to say that encryption is irrelevant to how easily the drive’s contents can be read. It may be relevant to how easily the plaintext can be recovered (depending on whether you did the encryption right).

"It is even irrelevant whether the drive is encrypted" -- irrelevant to read the drive's contents? Can you explain that comment? — schroeder, Dec 13 '20 at 20:10
You can read the contents of the drive without problem. If the contents is encrypted, then it isn't useful to an attacker. — gnasher729, Dec 14 '20 at 16:54
@gnasher729 It might be useful as a source of white noise. On a more serious note, it might also be useful if it was *poorly* encrypted. That's why I said "depending on whether you did the encryption right". — Brian Drake, Dec 15 '20 at 13:59

score 0 · Answer 5 · answered Dec 12 '20 at 16:55

0

The other Answers already cover it. But there is an even easier way to get into your Laptop if I stole it. Just boot up KonBoot and it will bypass all authentication mechanisms and I can set a new password for the user of my choice to whatever I want and then use your Laptop the normal way.

answered Dec 12 '20 at 16:55

CShark

117
1

1

Will this also give you access to encrypted content like passwords and cookies stored in browsers? (These are considered safe in OPs scenario as they are encrypted by the user login according to comments on the top answer.) – dreua Dec 14 '20 at 17:38
Are you referring to [this not-very-convincing comment by Dan M.](https://security.stackexchange.com/questions/242029/is-a-password-protected-stolen-laptop-safe/242078?noredirect=1#comment497888_242030): "IRC, some stuff will still be encrypted (like browser passwords)"? As far as I know, only Internet Explorer/Edge uses the secure storage provided by Windows. I'm sure that Firefox doesn't, since I've read about it using its own files and it has its own "master/primary password". I think I read that Chrome doesn't either. Even the Microsoft browsers don't encrypt cookies, do they? – Brian Drake Dec 15 '20 at 13:57
Chrome does indeed use the Windows function "CryptProtectData", which uses your windows password (https://superuser.com/questions/146742/how-does-google-chrome-store-passwords). And it also encrypts cookies (but stores the encryption key in the localState file - sans user password I think, https://stackoverflow.com/questions/60416350/chrome-80-how-to-decode-cookies). – CShark Dec 16 '20 at 08:14

Is a password-protected stolen laptop safe?

5 Answers5