Windows XP: Ability to login without having to use a password
That explains it
by joe_smith2 - 3/17/06 4:43 PM In reply to: Knowledge is the key to security by SirusmajSteve Gibson is a complete laughing stock of the security community. He's infamous for coming up with all kinds of half-baked ideas that never really pan out. The latest of which, was his claiming that a Windows security bug (the WMF bug) was in fact an intentional back door put in by Microsoft. It was nothing of the sort, and this is hardly the first time Gibson has done such a thing.
The article at the link below is some of the highlights from the Steve Gibson blooper reel you might say.
http://www.theregister.co.uk/2006/01/21/wmf_fud_from_grc/
I don't take Gibson seriously, and the same tends to go for people who do take him seriously. I'll admit, that to someone who doesn't really know that much about security, Gibson sounds like he knows what he's talking about. Kind of funny though... Before you posted this, I was commenting to a friend about how you seemed to be like Steve Gibson... In that you know just enough to sound convincing and be dangerous.
Also, minor point of grammar, but it's impossible to make a personal attack on a non-living entity such as a place of business. Even ignoring such, that's hardly an attack. This is why I would never be able to survive below the Mason-Dixon line, you people have no tolerance for differing opinions, as a subculture. Everything is seen as an attack against you and your way of life, when most of the time, it's just a statement of fact or an expression of opinion. I also can't even bring myself to call country a form of music, auto racing is a waste of perfectly good gas that could have been doing something productive besides propelling a bunch of rednecks in a circle a few hundred times at high speed, and I like talking fast and being understood. But that's all another topic for another time and place.
Back on the subject of my alleged attack on your proprietorship... If your security knowledge is based on nuggets of wisdom gleaned from the likes of Steve Gibson, I feel pretty secure in my saying that I'd be demanding a refund for your negligent behavior with my computer, and I'd be doing what any good consumer in a capitalist society would, tell everyone I know about it. I only hope that you come to understand just what a complete joke Steve Gibson is, so that you can rectify some of your views for the future. You don't even have to take my word for things. Do a little research on your own, using whatever search engine you prefer. It shouldn't be hard to find plenty of actual security experts who hold very dim views of Gibson.
Put another way, I could claim I'm an heir to the British royal family. Nothing stops me from claiming that, but no matter how earnestly I do, it doesn't make it any more true.
Right or wrong?
by Sirusmaj - 3/18/06 9:46 AM In reply to: That explains it by joe_smith2Even if we assume Steve Gibson is certifiably insane and a "laughing stock" of the security community, he supports the use of passwords, really good passwords, and so do I. Yes I think that passwords are an added level of protection against anything that might need then to access something they shouldn't, call it spy-ware, mal-ware, ad-ware, or virus. While I do listen to his pod cast and the whole TWiT line up, I also try to get information from other sources - like CNET, AnandTech, and Computer Power User. I take all I can from where I can. Everything I've heard or read so far points to logon passwords being worth very little. Maybe we should all switch to Apple or Linux? Personally I would love to leave Windows but my job and way of life depend on the most prevalent OS. Maybe Windows Vista will get it right however nothing I've read or heard says that it will.
I'm sorry you think I'm a "hick" and every bad connotation that comes from that. That only shows your level of ignorance. Culture exists everywhere you go and no culture is perfect. Having been raised in Southern California I understand that more than most. Yes we could talk a mile a minute and I could understand you. It would be interesting for you and I to talk. I would actually like to find out what you know and where you learned it from. I am not a security expert but I do what I can for my customers and for what it's worth we have not gotten any computers back for security issues once we set them up. We are always striving to improve our quality of service. There was a time when we were like chain stores and only restored Windows and I'm glad that time is behind us.
There are other posts on here already saying that you are sorely out of date with security issues of today. I don't think so, I think you have had some very good experience in this field. At least you sound like you have. Things of yesterday are always being replaced. The few Windows 9x machines still in existence wouldn't be worth the processing speed available if a hacker could get on them. We've both agreed that yes there is added security in a password, just not that much. So leave it at that. I am glad that you are actively helping people on CNET. I am striving to do that too.
A good reply
by MarkFlax
- 3/18/06 2:45 AM
In reply to: Knowledge is the key to security by Sirusmaj
That is a good reply Sirusmaj, thank you.
I wish, I just wish, that all retailers and computer repair businesses would take the time out like your business does to install anti-malware utilties on Windows machines, and to explain to users about security and show them how to use the utilities effectively. That way, infected computers and the misery it causes would be much reduced.
Password protection is a tricky subject, and there is no single answer that will satisfy all people. Your advice to the original question was, it seems to me, completely relevant to the context of the question posed.
People will say all sorts of things in discussions and it is important to keep to the subject in hand, rather than being diverted away onto different tracks. Such discussions can become emotive, and temperatures can rise, so posts like yours that return discussions to their orignal tracks are invaluable.
These type of discussions will often bring different points of view and CNET welcomes that, as long as such discussions do not deterioate into personal attacks.
Many thanks again.
By the way, I am a UK citizen and live in England. if Joe were ever to become King of England I would emigrate to the US. Can I come to Texas? ![]:)](http://www.cnet.com/i/mb/emoticons/devil.gif)
Mark
Oh come now
by joe_smith2 - 3/18/06 6:30 AM In reply to: A good reply by MarkFlax
We both know that the royal family is little more than a ceremonial role these days in the UK. There's very little power left vested in the King or Queen, so it wouldn't really matter. I'd live in Buckingham Palace, and be trotted out a few times a year for some ceremony or another, and that'd be about it.
I also highly doubt there's a Brit alive who would be able to tolerate living in the deep south of the US. By and large, it is a cultural wasteland. So unless you're big on blindly trusting authority figures, are a Christian fundamentalist (ideally Baptist), and can buy into a somewhat watered down Machiavellian life philosophy, probably better to stay over on that side of the pond. I promise I wouldn't ever send you off to the Tower of London if I became King. Well, not unless you really deserved it.
Houston is anything but a cultural wasteland, "Joe."
by Dave Konkel [Moderator] - 3/19/06 10:03 AM
In reply to: Oh come now by joe_smith2
Nationally (at least) known museums, art galleries, symphony, opera, ballet, repertory theater, on the circuit for touring Broadway shows, and in some cases pre-Broadway shows. Also a hub of the biotech industry.
Your provincialism is showing!
-- Dave K.
Changing Passwords
by frankln2u - 3/15/06 12:59 PM In reply to: Ability to login without having to use a password by dawillieWindows includes a hidden Administrator account that can be used for problems with other accounts. You can access it by restarting the computer into safe mode.
First, restart the computer. As it starts, repeatedly press the F8 key (some computers instead require the Delete or Esc key). Instead of the familiar Windows screen, you'll see a text-only Advanced Options Menu. Use the arrow keys to select Safe Mode. Then press Enter.
Select the Administrator account. By default on most computers, it requires no password. Once logged in, you can change the password of the account you normally use.
To make the change, click Start>>Run. In the box, type "control userpasswords2" (without the quotes) and click OK. Select your normal account name in the list. Click the Reset Password button. You'll be prompted for a new password. You can restart the computer and use the new password on your normal account.
Once you've got access to your computer, set a new password through Windows. To do it, click Start>>Control Panel. Double-click User Accounts. Select your account and click "Change my password." You'll be prompted for a new password.
You'll also have the opportunity to enter a password reminder. It should trigger your memory if you ever forget your password. But the reminder should not be descriptive enough to allow others to determine your password.
Passwords in XP
by frankln2u - 3/15/06 1:44 PM In reply to: Changing Passwords by frankln2uYou can also use the posting to set up start up with no log in
thanks to all responses
by dawillie - 3/15/06 5:16 PM In reply to: Changing Passwords by frankln2uI feel that Ed and Dalton have given me some good information to do with 'control userpasswords2'.
I have two issues on this.
1. Dalton says do this in Command Prompt, which btw I tried and saw the checked box. Ed says do it in the run command in safe mode. I am confused onthis point.
2. A lot of mention of changing passwords.
I simply do not want to use a password to access my O/S.
Can someone help with that aspect of it?
Thank you and gone to read the Microsoft Article.
Back later.
David Williams
Does this
by Fish - 3/15/06 5:59 PM In reply to: thanks to all responses by dawilliegive you any help? This was posted a long time ago by Grif Thomas in computer newbies.
http://reviews.cnet.com/5208-7813-0.html?forumID=45&threadID=22053&messageID=289976
BAD, BAD Idea
by joe_smith2 - 3/15/06 6:28 PM In reply to: thanks to all responses by dawillieIt doesn't matter how infrequently you're on the Internet. It's possible for a system to be compromised within 20 minutes of connecting to the Internet.
Having a password on the account will provide a little additional protection on top of any other measures you use.
The ONLY reasonably secure alternative would be to use biometrics as a password or smart cards. There are keyboards you can buy that either have a card reader slot in them, so you have to insert a credit card like card to use the computer, or keyboards with thumbprint scanners that can function as a password like security measure. Problems being, they're more physical security oriented, not so much remote security, they're expensive, and not always as reliable.
There's a bit of a harsh reality you have to face. Rather than insult your intelligence, I'll just say it flat out. Computers are not appliances. You can't simply turn them on, use them for a period of time, then shut them off. They, like your car, need regular maintenance in order to function properly. Part of this includes having to occasionally enter in a password. If you, or anyone else, is unable or unwilling to perform these basic functions, you probably should rethink having a computer. Maybe in a few years this won't be the case, but the realities of right now are that passwords are a necessary annoyance, and you would be doing yourself or anyone else a grave disfavor to do otherwise.
not necessarily a bad, bad idea
by sharee100 - 3/17/06 7:15 AM In reply to: BAD, BAD Idea by joe_smith2I have 2 computers on a home network. I use a wired router. I set my access to 2 computers. The computers are on all the time. No outsider can access my internet with access already maxed. I have other security running on the computers. I have multiple email accounts. Each of the servers block any problem incoming emails, too. I feel I'm as secure as I can be. And I have automatic sign-on.
Well...
by joe_smith2 - 3/17/06 9:21 AM In reply to: not necessarily a bad, bad idea by sharee100There's a big difference between what you feel and what is actually the case.
I might feel secure at night leaving my window open and doors unlocked, but it doesn't take a genius to figure out I'm not. In fact, if I were burgled under such circumstances, I should probably expect the insurance company to try and deny my claim for being careless.
Realistically I know a password doesn't add a great deal of security against remote threats, and that it's primary usefulness is for physical security. Even knowing that, I tend to feel it's my duty to make the job of any would be hackers of my system, as difficult as possible. Maybe it will only slow them down for a few seconds, maybe it will cause them to simply move on to another system... One like yours, which lacks a password. Either way, when I'm relaying the details to various authorities, I can honestly say that I did everything reasonably possible to protect my computer. Can you?
BAD, BAD Idea? Not at All.
by MRCarpenter - 3/17/06 7:43 AM In reply to: BAD, BAD Idea by joe_smith2Using a log-on password in no way increases computer security in an at-home, single user environment. There would be a slight increase in security only if the user created a user account separate from the default administrator account and after logging in used that account with limited permissions. If an intrusion were then successful, the intruder’s access would be confined to the second account with its limited permissions.
The point of security, however, is to prevent the intrusion in the first place and if the user has a firewall and AV product whose definitions are kept up to date, then in her situation a log-on password adds no security at all. This is obvious because she can be infected only if she is already online in which case whether or not she used a password for log-on matters not at all.
True to a point
by joe_smith2 - 3/17/06 9:27 AM In reply to: BAD, BAD Idea? Not at All. by MRCarpenterBut if a hacker figures out they've got a limited account, they're going to proceed to try and either crack the password on the admin account or use a privilege escalation exploit. If they have to use brute force and dictionary based cracking methods to get into that admin account, the number of login requests is going to take some time and slow the system down noticeably if they want to crack the password any time soon. These are things I can use as clues that something is very wrong.
If not for your stopping short, your argument would sound pretty good. Should really work on that. A good argument always addresses at least some of the counter arguments.
True for Ever and Ever <g>
by MRCarpenter - 3/17/06 2:38 PM In reply to: True to a point by joe_smith2You are basing your argument on assumptions that are somewhat out of date or give hackers far more credit than they deserve. For example, you suppose a hacker is going to realize there is a limited account on the computer. How can the hacker know that unless he can get into the computer? if you are using a firewall and AV the only way to do so is by the user going to a “malicious” site containing malware that is downloaded to the user’s computer, whether the user is aware of it or not. If the user is using a limited account, the amount of damage that can be done depends on the restrictions applied to that account. The program placed on the drive by the hacker has no way of knowing the nature of the account, only what is available in it.
You also assume anyone is going to bother with password breaking code and use it to hack the computer. in fact, hackers almost never bother with that when gaining access to randomly chosen computers. It is time consuming and in most cases wouldn’t begin to be worth the hacker’s time. you cannot assume that because hacking a password can be done, that commonly it is. Precisely the opposite is true. A hacker would bother only if he had reason to believe that what is on the computer is worth the time and effort and how can he know that?
The point here is that as a practical matter there are not all kinds of ways a hacker can get into a computer. Assuming a firewall and up to date AV, the ways are extremely limited. That is why the concentration by hackers now on luring people to malicious sites. As people become more conscious of security the hackers are forced give up trying to break into computers using brute force and must rely instead on tricking users into giving up personal information (phishing) or even to allow the hacker access to their computers by luring them to malicious sites where the user in affect allows them access.
Where do passwords on the user’s computer enter into all this? They don’t. Passwords on personal computers are effective, have any relevance at all, only if people other than the user have physical access to the computer. As far as external, internet-based attacks are concerned, passwords on the user’s computer are largely pointless.
For the original poster’s friend and under her circumstances, if she doesn’t want to be bothered with a log-on password, there is no security concern whatsover. It is a matter of personal preference only.
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
