Is a password-protected stolen laptop safe?

Is a password-protected stolen laptop safe?


The immutable laws of security say:

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

It doesn't matter if your laptop is password-protected or not. As long as the disk is not encrypted by a state-of-the-art encryption algorithm, anyone can access your data.

If I did not encrypt my entire hard-drive, does it matter how secure my password is?

No. Your data are safe if, and only if, the data are well encrypted. Password protection of an OS usually does not encrypt the disk (except on iOS, as far as i know). Consider using BitLocker (on Windows), FileVault (on macOS), or LUKS (on Linux).

Is it possible for someone to plug the hard-drive into another computer as an external drive and simply read all its contents?

Yes, someone will do exactly this.

Just to add a very simple answer here, I regularly boot a linux live cd/usb on friends' computers who have done something weird and need to recover files, and simply copy them over to an external harddisk. This is standard procedure, nothing 'hacky' about it.

So no, if someone was left alone with your computer, a windows password is trivial protection against accessing files on the computer. All they'd have to do is carry a linux usb with them and boot from it1; the whole process would take, like, 1 minute.

1. assuming the typical non-technical-user scenario where no further protections (e.g. a bios password) are in place

As anion's answer points out, the data on your hard disk is generally not safe under the system you described. However, Windows does offer several encryption methods beyond just BitLocker, and they might be helping you out already.

  • Encrypting File System (EFS) is a way to transparently encrypt file contents (though not the metadata, like file names or sizes) such that they can only be decrypted by authorized Windows users. Assuming the files hadn't been shared with any other users on the same machine (or domain) whose passwords were crackable, the contents of those files would be safe. However, EFS is only available on the higher Windows editions (Pro, Enterprise, Server, etc.). Additionally, it is rarely used unless the user manually enables it (software can enable it but very rarely does so).
  • Data Protection API (DPAPI) is a way to encrypt arbitrary blobs of data (which can then be written to a file, registry key, database, etc.) so that they can only be decrypted by either the user who encrypted them, or by any user on the machine that encrypted them (typically, the user-specific form is used). DPAPI is available on all editions of Windows, and - possibly for that reason - is reasonably commonly used by software that wants to store sensitive data. For example, Chrome encrypts your site data (cookies, passwords, etc.) using DPAPI. Windows itself also uses DPAPI for some data, including the built-in password storage (used in Edge and IE) and to protect private keys in the certificate manager (even if you don't explicitly put passwords on those keys).

Both DPAPI and EFS use encryption keys protected by the user's password. This means that an attacker can't learn those encryption keys without breaking the password. Normally breaking Windows passwords is relatively easy - the hashing function used is decades out of date and not even used in a very secure way - but a sufficiently long and random password is still de facto uncrackable. Similarly, the encryption algorithms used with DPAPI and EFS aren't the latest, but they're secure enough that it would be very surprising if even the NSA could break them (either by cryptanalysis or by brute-forcing the key).

Note that it's quite easy, if you have access to a computer's unencrypted hard drive, to overwrite any user's password. However, if you do this, it becomes impossible to ever recover either the DPAPI or EFS keys, so any data protected using either feature is lost forever (unless the keys and/or data were backed up elsewhere).

So... you're still in major trouble. All your unencrypted files (pictures, documents, any local emails or chat logs or whatever) will be exposed. However, the attacker will probably not be able to see passwords that Windows or Chrome (or some other browsers) were storing for you, or use your saved browser cookies, so you're more likely to be safe against an attacker compromising your online accounts. Some especially security-conscious desktop software might also have protected its files, especially if your Windows edition supported EFS.