How safe is locking the screen?

So, both windows and linux have a pretty useful feature that allows you to leave everything running on the PC while also keeping invaders away by locking the screen. My question is:
Say I leave my laptop with the screen locked while I go get a donnut, and then it gets stolen. Assuming the thief has access to whatever software he needs, how easy/hard would it be for him to access my (currently logged-in) account?

Now let me be clear. I'm not asking if he can access the data on the harddrive. I know he can, and that issue would go under data encryption, which is not my question here. I'm focusing on how hard would it be to get around the "Insert Password" screen, and have full access to my account.

I'm looking for answers regarding both OS's; but, if needed, assume Ubuntu.

Thank you.

Malabarba

Posted 2010-04-15T18:25:35.887

Reputation: 7 588

23You should probably keep a deep fryer and neccesary donut ingredients by your desk. – mindless.panda – 2010-04-15T19:09:14.237

2That's not linux that's locking your screen, it's the X Window System. – mpez0 – 2010-04-16T16:30:43.060

NO ! On Ubuntu 12.04 LTS I'm experimenting the following: while on my right screen there is the input box asking for my password, on my left screen I can interact with many of the applications. Some actions seems to have no effect but I can for example launch or close applications, move files and consult my e-mails (Gmail). Although it's probably related to the bad support of my graphic card, how this can allow me to interact with elements supposed to be "under" the locked session?? So, definitely NO, I wont consider the Ubuntu (& possibly others) way of locking the screen being "safe enough". – Pierre – 2013-08-15T14:59:55.193

Answers

The answer is probably "safe enough" and I would be more concerned about being without my laptop and having to buy a new one than having my data stolen.

Both operating systems are waiting for the password to be typed in and, as far as I know, there is no way of automating this process. You are therefore back to the normal safe password practices - so don't have the password written on a post-it note attached to the laptop's screen.

Also consider who is going to steal the laptop. Are you some mega-important government employee with extremely important information that a foreign government would pay millions for and use a team of highly trained spies to get, or is your laptop going to be stolen by some kid looking for a bit of beer (or other intoxicating substance) money?

Once someone sees the password prompt I would imagine that the chances are that they will just install a pirated copy of Windows over the top of your stuff anyway - that would be far easier and quicker than going to the trouble of cracking the password.

Neal

Posted 2010-04-15T18:25:35.887

Reputation: 8 447

Indeed, I don't expect my laptop to be stolen by some super secret inteligence agency. That's why I wanted to know how easy it is, to understand what are the chances of a specialized laptop thief knowing the procedure. – Malabarba – 2010-04-15T20:59:30.527

9Intel agencies wouldn't likely steal your laptop. If you were a target for collection, they would send a secret agent to gain your confidence (yes, she would look a lot like Jennifer Garner) and after a month or so when you've given her your password (remember, she looks a lot like Jennifer Garner) she'll plant all kinds of stuff on your laptop. Then a week or 2 later she'll tell you how her "cat died" and she "needs some time" and you'll be left thinking it was good while it lasted. So if you're ever approached by somebody that looks a lot like Jennifer Garner while buying a donut... – Joe Internet – 2010-04-15T22:38:27.097

If you are dissatisfied with the default X screensaver, you can get others or write your own. You can make unlocking as complex (or simple) as you wish, and as secure as you can program. Of course, with physical access to the machine, you won't be able to prevent reboots. But you mention that in the question. – mpez0 – 2010-04-16T16:33:45.737

@Joe Internet: Hahaha, nice. But that would be kinda moot in my case. My long time girlfriend doesn't know the pass to my laptop, and I don't suppose she will. I know hers, though, because I do too much support on her laptop to ask her to input her password every time. – Greg – 2010-12-09T11:26:31.233

@Greg - I bet you'd tell Jennifer Garner though ;-) – Joe Taylor – 2010-12-09T12:44:35.597

@Joe Taylor: Nah, not really. Kate Beckinsale or Jessica Alba, on the other hand, might persuade me... – Greg – 2010-12-09T15:07:51.700

I doubt any government would allow EXTREMELY important and sensitive data worth millions to leave the office, let alone have an employee take it to the local Starbucks on a laptop with no extra security other than a simple windows password. At the very least they'd have a bodyguard accompany the carrier, one who wouldn't ever leave the laptop alone. – Nzall – 2014-01-20T10:50:59.413

Anyone with access to the computer can crack the password file, but it gets even scarier than that. If the thief is familiar with the cold boot attack, even data that's encrypted on-disk is not safe, because the contents of RAM can be read (including any in-memory decryption keys)--even after the RAM is physically removed from the machine and installed in a different computer.

Theoretically, the thief could get a memory dump and image your hard drive, then load both into another identical machine and see what you were working on behind the locked screen--and you wouldn't even know because your computer would still be at your desk.

But, as Neal mentioned, you're probably safe, because most people with physical access to your computer either don't have the know-how or aren't that interested in what's on your computer.

rob

Posted 2010-04-15T18:25:35.887

Reputation: 13 188

Yeah, I know even encryption isn't fail safe. But I'm curious to whether it's possible to crack my regular windows or ubuntu password without turning off the PC (and thus ending my sessions). – Malabarba – 2010-04-15T21:03:07.290

@rob - Well, somebody would probably suspect something if they returned to their desk and found their computer disassembled and the memory & hard drive missing... – Joe Internet – 2010-04-15T22:29:25.510

1@Joe: to clarify, the data thief would reassemble the PC after copying the contents of the RAM and hard drive. One thing I didn't think of was the fact that the computer would have to be rebooted after being reassembled (since the CPU couldn't be kept in the "locked desktop" state), but the thief could cover his tracks by swapping in a dead battery and pulling the power cord out of the back of the laptop just enough for Mr. Connors to think the laptop had simply come unplugged by accident and was already running on battery before he went to get his donut. – rob – 2010-04-15T23:35:35.377

1No way, amigo... Mr. Connors, being a savvy laptop user, has in all likelihood placed hidden donut crumbs in the laptop to show if it's been tampered with. The best solution here is to rig a cup of coffee as a self-destruct device. Unless, of course, the thief likes coffee... – Joe Internet – 2010-04-16T01:45:43.160

I believe if i plug in my wireless receiver for my KB/Mouse, it automatically loads the drivers to make my KB/Mouse work, even while my screen is locked. So theoretically, someone can plug in an USB device that emulates typing on the keyboard and try a brute force attack on such a device. But then it just relies on the security of your password.

Roy Rico

Posted 2010-04-15T18:25:35.887

Reputation: 4 808

I kinda remember an older version of Windows having this issue, with autorun and CD's. – invert – 2010-04-16T11:12:06.920

I think any modern OS will rate limit password attempts - ie it will make you wait a second between password attempts, and the wait may well get longer if you keep having incorrect password attempts. So brute force can't actually try that much. – Hamish Downer – 2010-06-24T21:53:11.770

Two words: Buffer Overflow – Chad Harrison – 2011-11-04T20:15:18.767

If the hard drive can be accessed, that means password file/stores can be accessed. At the very least an attacker could brute force it using the password file and a cracker. Perhaps others can provide information on OS specific vulnerabilities in this scenario.

mindless.panda

Posted 2010-04-15T18:25:35.887

Reputation: 6 642

3Or could reboot using a livecd and insert a known hash of a password into the /etc/passwd file or chroot and change root's password.. – warren – 2010-04-15T18:33:13.423

2@warren: reboot would imply ending the currently running session. The actual question was about someone accessing the session I left open. – Malabarba – 2010-04-15T20:59:48.967

In terms of getting into your account, it's really no different than logging out/shutting down. The only difference is that in order to brute force their way in, they only need your password, rather than a username + password combo, so that makes it technically easier to break into.

th3dude

Posted 2010-04-15T18:25:35.887

Reputation: 9 189

How would you brute force from a login screen? you'd have to have a program that auto-runs somehow, then tries to brute force (or do it manually which seems inefficient. – Kravlin – 2010-04-15T18:52:51.963

In basic terms I do mean manually (such as a coworker that knows you well and may be able to guess your password). In terms of higher tech hacks with more time to kill, we can talk about using a live CD to boot and use different apps to brute force. Specifically in this case, I'm talking about the former, since the OP specifically said 'when I run out for a donut'. – th3dude – 2010-04-15T19:03:13.700

Figuring out the username is not hard C:\Users\HereItIs – dbkk101 – 2010-05-01T06:06:15.853

As far as I know, there is no way to get around the locked screens in Ubuntu or Windows 7.

However, all they would have to do is shut down the computer, take out the hard drive and connect it to their computer, replace the password file, put the hard drive back in, turn on the computer, and log in with the new password (or use a live CD to do the same). No brute forcing would even be necessary.

For getting access to the session at the time of locking, I don't think that is easily possible.

Zifre

Posted 2010-04-15T18:25:35.887

Reputation: 1 390

On Linux at least, if an attacker were able to get shell access on the computer, either under your user account or the root account, (s)he could kill the screensaver process, which would unlock the desktop. Of course, that still requires the attacker to guess your login credentials somehow, so it doesn't really reduce security that much. Just don't leave yourself logged in on virtual terminals. (Of course, if an attacker could exploit some software bug to get that shell access without actually logging in, you know what happens...)

David Z

Posted 2010-04-15T18:25:35.887

Reputation: 5 688

If he is running Windows XP then yes, if he has a firewire port an attacker can get direct access to this system while it remains on the desk without requiring any login account or password. I understand this was fixed in a late service pack and that Win 7 is not vulnerable, however I can't confirm that.

Basically firewire was designed to have direct memory access, and security wasn't really considered :-)

When an attacker steals the laptop itself, you are pretty much at the mercy of the attacker. If you work for a corporate, and they are a common thief looking for quick money it may be worth their while selling the laptop to a criminal group, who may be motivated to break in. This is likely to be simple, and as the machine is already on, you don't have the protection of any full disk encryption you may have installed.

So it comes down to the attacker's motivation.

My advice - kryptonite locks (to slow them down), physical security (locks, security at front desk) or if you don't have those, just take the laptop with you.

Rory Alsop

Posted 2010-04-15T18:25:35.887

Reputation: 3 168

The attacker can review the source code for your various input device drivers and exploit any bugs by connecting a device. For example, there may be a certain sequence of bits that will cause a buffer overrun in the parallel port driver, then the attacker could hook up to that port and send those bits, followed by bits to kill your screensaver. This isn't likely or easy, but it's possible.

Or they could just connect a device to ps/2 or usb to send passwords. like Roy says. This won't work for an attack on a windows pc joined to a domain, because he'll have to reboot the computer after locking the account out (if the domain has that policy). But for Ubuntu it would be possible under the default configuration.

Segfault

Posted 2010-04-15T18:25:35.887

Reputation: 413