A Windows Account Password will NOT protect your Files and System

I wanted to make you aware of a huge security hole in MS Windows that I found while using Linux. Well, maybe not Windows directly but a combination of BIOS and access to Windows and user files in default library locations.

I have Windows 10 with a password to log in. At one time I thought that also prevented people from accessing my files as well. I was WRONG!

After installing Linux on an external USB drive, I was working on some things and wanted to use a file that was on my Windows drive. So, I opened the file manager in Linux, clicked on my Windows disc and there it was, ALL of my files and folders, including system folders. Here are some screenshots:

I could have changed deleted and did what I wanted with the whole system, even delete it completely. So, that log in password is only good for logging in via Windows. It offers absolutely NO protection whatsoever from people using other OSs to explore the Windows disc or partition. Considering that anyone can take their Linux system to any machine, and boot it up, all systems could be infiltrated this way. I suppose there is a BIOS setting that might do something to prevent users accessing the BIOS boot options. Nevertheless, it is a huge security hole.

It would seem that the only way to protect your data is to have it only on external drives that can be removed.

You’re a hacker, Harry!

This is what makes disk encryption so important. If you care about your data integrity, make sure you’re encrypting, even your backups. Windows actually has one of the more robust options in Bitdefender.

1 Like

Well, I might have been a hacker had I had to hack the password, but as the system is wide open to a standard file manager, I guess I was merely a visitor passing through. No hacker tools needed.

I have Bitdefender on my Win disc. The thing is, there must be more people ignorant to encryption and safe storage than those who know a thing or two about them.

The point here is that Microsoft have users use an account password and UAC, giving a false sense of security. There are no warnings that data is open to non-Windows systems.

While this security hole might not affect individual PCs at home, it could be embarrassing for employees if their boss discovers the boot menu and finds dodgy files on company property. A competitor business could have an infiltrator boot up onto critical systems and create a huge mess or steal secret info.

The user login password does not protect your files. It only protects you from someone logging into your user account to gain access to Windows. In fact, you can remove the hard drive currently in your computer, plug it into another computer and the other computer will be able to read/write to the same files.

Ah, a multi-system issue, then. Nothing is safe. Well, if people use the Windows file manager, they cannot, without tools. see Linux partitions. Not sure about IOS.
[EDIT] Another Linux system will do the trick.

Yes, and because they cannot log on, it might be assumed that they also cannot get to any data as well.

A live distro on a USB drive is always in a hacker’s tool belt, and this is one reason why. Sometimes, gaining access to a file is as simple as booting from a different drive.

Account passwords are an important way to manage system access, but I don’t think they’ve ever been advertised as a way to keep your files safe. Encryption is widely understood to be standard practice, so any IT worker worth their weight in dirt is going to have it implemented. Restricting physical access is also an important part of information security, too. This is all very well known.

Thing is, though, that this isn’t a huge deal. In terms of real-world danger, you’re much more likely to be phished than have your computer physically compromised. If you’re seriously concerned about your data, then you’ll need to encrypt it. However, you’ll need to do much more to be secure. Do you use cloud services? Are you checking whether or not the sites you visit are hosted securely? Are you encrypting your emails? Are you careful about clicking links in emails? Are you using a VPN to mask your network activity from prying eyes? Do you stop yourself from oversharing on social networks? How easy are you to find online? Do you encrypt your backups? Do you degauss and then physically shred your hard drives before throwing them away? There are probably 10 ways your compromise your own security every day.

It goes much deeper than I thought. Thank you for your detailed reply. If I am to be branded a hacker, it was to hack myself and try to help others realise something they might not know.

Well, I’d expect that most computer users are not IT staff and perhaps don’t even know what UAC is. So they might think the log in password to an admin account is enough. I wasn’t suggesting that log in passwords were promoted for file safety, as a ‘false sense of security’ is a perception. Small companies might not even have an IT person at all. Besides, it’s like locking the front door to the house, but not realising the back windows were left open. That secure house is not as secure as it was thought to be.

I try to avoid cloud services, rarely use Facebook and have not used Twitter at all for several years. I have to use a VPN to access those things anyway.

Thanks again.