Is it unsafe using Windows XP without password?

[Sin Jeong-hun]

I'm the only one who uses my computer at my home. Until recently, I set
a password for my account (not Administrator but belongs to
Administrators group) and logged on each time by typing the password. A
few days ago, I reinstalled Windows and haven't set a password for my
account yet. Wow, it's really convinient that I can start working
without typing the password. I just turn the computer on, and do some
other things and return to find my PC is ready to go. When I used
password, the computer had been stuck to the welcome screen when I
returned and I have to type the password and wait till the loading
ends.

So, my question is if it is safe to use Windows without a password. I
mean against online attacks, not that somebody physically enters my
room and uses it. I'm using Windows XP Service Pack2, have Windows
firewall+Automatic updates turned on, and set a password for
Administrator.

Or.. you think it's better to set a password for my account and use
automatic logon (by TweakUI)? Thank you.

 

[lvee]

totally safe.

 

[Kerry Brown]

It is safer to have a password. Malware can find out account names but it
can't find passwords. It is another level of protection. Also if you want to
schedule tasks you will need a password. You are relatively safe setup as
you describe, although you don't mention any antivirus or antispyware
programs. A password would give you a little more protection.

 

[Paul Johnson]

I'm the only one who uses my computer at my home. Until recently, I set
a password for my account (not Administrator but belongs to
Administrators group) and logged on each time by typing the password.

That would be the same as administrator, then. If you're trying to make use
of proper privilege seperation, only Administrator should be in
Administrators, with everybody else being a Standard or Power user.
Remember that you can always Run As... around it if you need to temporarily
escalate your privs for a specific program.

(Now if vendors would stop demanding Administrator privs for software that
should not need such relatively low-level access...sorry, a GAME should not
expect Admin privs, ever)

A few days ago, I reinstalled Windows and haven't set a password for my
account yet. Wow, it's really convinient that I can start working
without typing the password. I just turn the computer on, and do some
other things and return to find my PC is ready to go. When I used
password, the computer had been stuck to the welcome screen when I
returned and I have to type the password and wait till the loading
ends.

So, my question is if it is safe to use Windows without a password.

When in doubt, use a password. Preferably, a secure one. If you have a
palm, you might want to go get yourself a copy of GNU Keyring and be sure
to set yourself a master password to encrypt your password database on your
palm, and keep your palm with you.
http://gnukeyring.sourceforge.net/

If you have to ask, "Should I use a password?" Your answer should be yes.
Keyring makes it easy to keep passwords nice and complex, and as long as
you have your palm and remember the keyring password, you have access to
all your passwords. Very cool.

Or.. you think it's better to set a password for my account and use
automatic logon (by TweakUI)? Thank you.

Automatic Login using TweakUI is also not secure: Password in plaintext in
the registry, IIRC.

 

[over]

That would be the same as administrator, then. If you're trying to
make use of proper privilege seperation, only Administrator should be
in Administrators, with everybody else being a Standard or Power user.
Remember that you can always Run As... around it if you need to
temporarily escalate your privs for a specific program.

(Now if vendors would stop demanding Administrator privs for software
that should not need such relatively low-level access...sorry, a GAME
should not expect Admin privs, ever)


When in doubt, use a password. Preferably, a secure one. If you have
a palm, you might want to go get yourself a copy of GNU Keyring and be
sure to set yourself a master password to encrypt your password
database on your palm, and keep your palm with you.
http://gnukeyring.sourceforge.net/

If you have to ask, "Should I use a password?" Your answer should be
yes. Keyring makes it easy to keep passwords nice and complex, and as
long as you have your palm and remember the keyring password, you have
access to all your passwords. Very cool.


Automatic Login using TweakUI is also not secure: Password in
plaintext in the registry, IIRC.

No longer true. This used to be the case, but TweakUI now encrypts the
password.

 

[Paul Johnson]

No longer true. This used to be the case, but TweakUI now encrypts the
password.

Ah, well, that's good to know. Any idea if it's a good hash or something
trivial like ROT13?