How important is my computer login password (see details)?

I use a really weak password that I can type really fast on my computer. As long as you are behind a router you should be pretty safe. But using sdfjrkjgq43[qwef1S on your computer is kinda stupid.

That assumes you are behind something that uses DHCP. If you go from a modem to computer you should pick a more secure one.

I find it easy enough to control physical access to my machine that I don’t even bother with a password for my desktop system (though I do use one for my laptop). The way I see it, any remote access attack that gets through to my computer will probably hit while I am logged on anyways, and anybody who tries to gain unauthorized physical access to my machines will have a problem simply because WA believes in the “castle doctrine” ;)

If @johnpowell will allow, I’d like to elucidate his wording just a bit:

As long as you are behind a WI-FI router WITH PROTECTED ACCESS USING WPA ENCRYPTION you should be pretty safe. But using sdfjrkjgq43[qwef1S on your DESKTOP computer FOR WHICH YOU CAN MAINTAIN GOOD PHYSICAL SECURITY is kinda stupid.

That assumes you are behind something that uses DHCP WHICH AUTOMATICALLY ASSIGNS A RANDOMLY AVAILABLE IP ADDRESS TO YOUR COMPUTER EACH TIME IT CONNECTS TO THE NETWORK. If you go from a CABLE OR DSL modem DIRECTLY to YOUR computer (INSTEAD OF THE WPA ENCRYPTED WI-FI ROUTER PROVIDING DHCP) you should pick a more secure one PASSWORD SINCE YOUR COMPUTER HAS AN INTERNET-VISIBLE IP ADDRESS.

If you have physical access to someones machine, you can do anything and get past everything.

@johnpowell Thanks. I have a rather long passphrase that I am using right now to login, and I was starting to think that it was pretty stupid myself. I just wanted to make sure that it wasn’t some important line of defense against remote attacks.

@jerv So are you saying that a remote attack would need to crack my login password if I was not logged in? In any case, I’m in the same boat as you: I’d probably be logged in anyway. But that was one of the things I was wondering, so I would appreciate it if you’d clarify for me.

@robmandu Thanks. I actually got what he was saying, but the elaboration was still useful. I’m mostly self-taught when it comes to computers, so I have weird gaps in my knowledge.

@XOIIO I know. That’s why I asked about what good the login password served against people without physical access to my machine.

Ahh, misread

No problem.

Well, unlike some people, my desktop is either logged in (thus negating the need to crack it) or powered down (thus impossible to crack), so it’s a moot point for me. Doubly so since I have security between my computer and my DSL jack. Therefore, it’s not something I ever really thought about.

Only a few people I know and trust and have invited into my home have physical access to my computers so I don’t bother with a password at all, on my “actual machines.” I would find it annoying to have to enter a password to log onto my own computers.

I recently had my house broken into. I had 3 laptops in the house that were all powered on. They took the one that had no password (daughters).
It really is about how much you care about security and your stuff. If you are paranoid then you set complex passwords along with lock timeouts for non activity that even annoy yourself. I use the biometric login so I can set it as complex as I want.
It’s all about weighing the risks.
I personally use strong passwords that are cast to memory.

@lillycoyote Right, but that’s not my question. My question is whether or not someone attempting a remote attack would need my computer login password in order to successfully crack my computer. The answer appears to be “no.”

Password cracking can be a vector for remote attack. If there’s no password – or one that’s very trivial to crack/guess – then it’s certainly a possibility.

The thing is, cracking an arbitrarily hard password can be time-consuming and is somewhat easy to trap if they’re actively throwing guesses at your OS.

So I think that attackers will often try multiple vectors… like some type of software exploit that employs some kind of buffer overflow, sql code injection, privilege escalation, cross-site scripting, etc.

They might first try a normal “login” approach to see if you’ve got a password at all or if they can guess it. Then they might resort to coming at your OS sideways through one of those other attacks.

It really depends on the person, their skillset, their tools at hand, and their objective.