Why is autologon in Windows 7 a security risk

If I set my Windows 7 account to automatically logon so I don't have to type a password, and I don't have to click my username on the logon screen, I heard it's a security risk.

From Windows 7 Auto Login:

Although I don’t personally recommend this, there are some people out there who don’t want to bother with using a password to protect their Windows user account. Of course, using a password in Windows isn’t required, only suggested. But even if you don’t fill one in, you still have to click your user icon to start the login process.

An easier way - although again much less secure - is to enable auto-logins for your Windows PC. This is possible in Windows 7, as it was in prior versions, but it takes a little finagling to do so. (And for good reason, darn it.)

What is risky about it besides people being able to logon locally? Does it make it easier for hackers to logon remotely?

Phenom

Posted 2009-11-30T03:55:43.507

Reputation: 6 119

7This is sort of like asking 'what's the risk of jay-walking besides being flattened by a motor vehicle?' – pavium – 2009-11-30T04:10:28.740

No, it's like asking "what are the risks of jay-walking besides other cars." – Phenom – 2009-11-30T09:38:20.013

Answers

That's the security risk it is referring to - anyone who obtains physical access to the machine is able to log on and access any of your data. If your computer is in a safe place and that isn't an issue for you, there's no need to worry about it!

John T

Posted 2009-11-30T03:55:43.507

Reputation: 149 037

5Technically, if someone had physical access to your computer and they really wanted your data, they could get it without knowing your password. But by that time you have bigger things to worry about. – Sasha Chedygov – 2009-11-30T04:10:55.837

1Sure they can get my data and all, doesn't mean they will be able to read any of it. Encryption is king. – John T – 2009-11-30T04:19:00.833

If it's encrypted, then it's a different issue (since they still need a password, they just put it in earlier). – Brendan Long – 2009-11-30T07:20:34.377

My point was that if a complete stranger has physical access to your computer, your password is the thing you should be least worried about. ;) – Sasha Chedygov – 2009-12-24T07:18:52.083

No, remote hackers won't be able to do anything more than they otherwise could. The risk is only local, as you already mentioned.

If your computer is on your desk at home and you know who is around, then use autologin.

If it's a laptop and/or work computer then don't use autologin.

Torben Gundtofte-Bruun

Posted 2009-11-30T03:55:43.507

Reputation: 16 308

The #1 security risk for companies is insiders. Often it is dissatisfied employees. Let's think of you personally as a company. Ever had a friend go to the dark side and start abusing you in some way. Why wouldn't that person wreck your computer or steal your data.

Now to this thought about it (your data) being encrypted being security. From inside your computer as a legitimate user, it's not encrypted. That's why you can use it.

So, let's do steps on how you might get hacked: 1. I decide I hate you 2. I am nice to you so you won't cut me off 3. I logon and change your password. You'll never know because you don't use it anyway. 4. I remote your computer as you. 5. Now I can do evil things to you to my heart's content...

So, yes! I'm saying that you are taking a risk.

Neal Wilhite

Posted 2009-11-30T03:55:43.507

Reputation: 1

Aside from the obvious risk that someone can walk up to your computer and use it, there is another minor security risk. When you set autologon, your password is now on the computer. It is encrypted and theoretically safe, but there's always a chance that it can be discovered.

Steve Rowe

Posted 2009-11-30T03:55:43.507

Reputation: 3 729

The password is already on the computer. If it wasn't, the computer wouldn't be able to check if it's correct. I assumed Windows just had an "auto-login" flag, but I guess having an unencrypted file with the password in it would work too.. :-\ – Brendan Long – 2009-11-30T07:23:52.827

@Brendan Long: There are ways to store a "password" on a computer so that it can not be recovered without brute-force attacking it. This is different from the ways that, say, your browser stores passwords for your favourite websites, where the cleartext of the password is needed. – Mr. Shiny and New 安宇 – 2009-11-30T14:11:57.220