In the article “- Urovekkende passordbruk” in the Norwegian newspaper Aftenposten.no, journalist Christine Jensen reports on a survey performed by Visendi showing that only 9.4 % changes their password on a monthly basis. The survey was requested by Microsoft Norway, and in a comment on the results, Chief Security Officer Ole Tom Seierstad says that password protection is especially important during the summer when people tend to bring their laptops on vacation. According to Mr. Seierstad, the threat of computer crime is greatly increased during this period and password protection is “one of the easiest and most efficient ways of protecting your data.”

While the Microsoft CSO might be right about passwords being easy to use, the security provided by the Windows authentication system is minimal at best in regards to information and computer security. Password protecting your Windows computer does nothing to protect the data stored on that computer. It only provides a “locked door” through which a user must pass in order to gain access to that particular operating system. The data is still stored on the hard drive and can easily be accessed, provided you have physical access to the computer, by booting (restarting the computer) into a different operating system (e.g. one stored on a CD, a floppy disk or a USB memory stick), or by moving the hard drive to a different computer.

While the latter might require a bit of time and technical knowledge, rebooting a computer into a different operating system is fairly fast, easy and well documented and described online (e.g. Helix, Ophcrack LiveCD or Backtracker). Mr. Ove Skåra, Chief Information Officer of the Norwegian Data Inspectorate puts it this way: “A password doesn’t help much if the computer is stolen and reaches a person with just above average knowledge of computer technology.” Or, as I would say – a bit of imagination and access to the Internet.

Not only does the Windows authentication system provide minimal data security, the way your password is stored (by default) on the Windows XP operating system is highly insecure. This makes it simple to crack these passwords and gain full control over the exposed computer, even remotely. Ophcrack is just one of many Windows password crackers freely available online that cracks Windows passwords stored in this default way in mere minutes. (Not convinced? Download the program and the required rainbow tables and try it out on your own computer. Note: Cracking other peoples passwords without their consent is illegal! Don’t do it.)

The best way to secure your data from unauthorized access is to securely encrypt the data. Encryption is a process in which the original text – called the plain text – is transformed into cipher text, which is impossible to understand. The data is stored in it’s cipher text form and only made readable again – decrypted – when an authorized user (i.e. you, the owner, or someone you authorize) requests it and provides the right password/key and encryption/decryption algorithm.

While encryption might also be password based and thus dependent on the strength of the password, an encrypted text is not stored on the hard drive as plain text and is therefor harder or impossible to get to for someone who doesn’t know the password.

Should a computer, on which all data is securely encrypted, be stolen you can still sleep well at night knowing full well that it will probably take the perpetrator all the time in the universe – and then some – to crack your code and gain access to your data.

While some encryption technology is available with the Windows operating systems, I would recommend the use of PGP, GnuPG, TrueCrypt or similar third-party software to encrypt your data. These programs are easy to use, well documented and tested, and provides a high level of security.

If you want to increase the security on your Windows computer, start by preventing the operating system from storing your passwords in the default format. Here is how.