What is the real danger of not putting a login password in Windows in a small company except that of allowing anyone to go physicaly on your computer?

In a nutshell, besides physical, local access - there is no more of a risk of not having a password than having one. Besides, the obvious risk of anyone being able to walk up to your computer and log in.

There are a number of risks however that come from fraud and fraud prevention. Since anyone can walk up to any computer and log in, if anything malicious were to happen (and it does) you would have no way to prove who it was.

EDIT: if you're on windows 7 you can use autologin: https://technet.microsoft.com/en-us/library/ee872306.aspx

FRAUD AND FRAUD PREVENTION

Typically, an organization would have controls in place to prevent fraud from occurring in the first place. The idea being that the more difficult it is to prevent fraud, the more unlikely it will be that it will occur. I'll outline a rough scenario at the end if that helps clear it up for you.

A common control method is proper passwords, so that someone couldn't walk up to a computer, use it for some malicious activity, and then walk away. Keep in mind that this person may be from outside the company as well - ie. could be a repairman, could be an auditor, health inspector, etc. depending on your line of work, not just someone from inside the company.

SCENARIO

An organization has no passwords on their computers - An employee, Jane, was one of three employees let go due to work force reduction from a budget cut. Her job was to manage the company account for making purchases from new suppliers.

A few weeks after she was let go, her replacement noticed some irregularities in the accounts that she was in charge of. An internal investigation was launched, which found that almost $5000 had gone missing over the past 18 months. An external auditor was called in to assess the situation and a fraud investigator acquired them to find out what happened.

They discovered that the Janes computer was used to move the money, however it was always during her out of office hours. They also discovered that no-one in the company uses passwords on any of their computers, meaning that it could be anyone who would've had physical access during those 18 months. They also found from conducting an interview that Jane left with no issues, and left them with little reason to think it was her.

So who could it be?

SCENARIO 2

Same as above except employees use passwords -

They discover that Janes computer was used to move the money, and it was always during out of office hours. However it was not her login details that had been used, but rather the hiring manager for the floor.

An investigation was launched and found that he was having some issues at home with his spouse, which could be a potential motivator.

etc. etc.

The point being that in each of these situations, even with passwords being used its difficult to say who it was that committed the crime. However, in the case of scenario 2 - the hiring manager would have to explain why he logged in with his details outside of normal hours, or how his credentials had been potentially 'hacked'.

Hope that clears things up a bit. I can expand further if not.

EDIT: Just to add since @Sayan's point - it is known in security as non-repudiation - or being able to prove that something happened by whom


One of the main security concern would be 'Non-repudiation'.

Non-repudiation is the evidence/assurance that someone cannot deny on their action. Hence in your case if anything goes wrong you may ended up with a situation where you cannot take any actions.

Because you may not be able to produce digital evidence for the case.

You may refer below article for more details about Non-repudiation: https://searchsecurity.techtarget.com/definition/nonrepudiation


Together with the other answers: employee confidentiality.

Whilst these are work computers, there may be the need to store sensitive personal information on them. The boss needs to be able to access all files on the computers, but that does not mean that all files should be shared between all employees. Some possible examples of information that should not be shared without restriction:

  • Confidential medical information, which may be needed at work to complete a risk assessment or insurance application
  • Payslips
  • HR records regarding performance, redundancies etc.

Even without any malicious intent, you could have a scenario like this on your hands: Susan, the head of sales, is going to a conference in another city. For the travel insurance application, she must declare recent medical treatment. She uses her work computer to scan in a letter from her doctor explaining that she was recently diagnosed with cancer, but that she is fine to travel. She has told her boss about her diagnosis, but wants to keep it private from her colleagues for the time being. Whilst she is away at the conference, admin Adam needs access to some client info on Susan's computer. Whilst he is searching for the documents, he comes across the letter from Susan's doctor. He tells the other people in the office, who decide to get Susan a get-well-soon card. Susan returns from the conference, and the other employees all tell her how sorry they are to hear about her cancer. Susan is furious that her wish to keep her health condition private was ignored, and threatens to sue the company.

Most jurisdictions have data protection laws that require employers to protect sensitive employee information for exactly this kind of reason.

Tags:

Password Policy

Physical Access

Related

Is a standalone phone number considered Personally Identifiable Information? What are the security risks of logging the hash of rejected passwords? How to strike a balance between security policies and practical implementation challenges? Are there any objective reasons to use dedicated user/password instead of identity providers within a large organization? Does WPA3 OWE mean the return of Evil Twins? Is there value in changing your password after failed (malicious) login attempts? How many rounds of hashing is enough for a password manager? Why are the gitlab SSH host key fingerprints not matching? Do I need to encrypt connections inside a corporate network? How to limit the impact of and reduce the risk of SQL injection for existing website? What does ENV (“_”) do for anti-debugging? Why would taking my laptop home be encouraged for security reasons?

Recent Posts