There are many different ways to secure data on computers, but not all of them offer the protection you think they do. In this article I am going to list several different types of security and some advantages and disadvantages of each. These are concepts that often come into play when repairing computers and having a firm understanding of them will enable you to make better decisions about what to do or what not to do with your data.
Windows Login Password
This is probably the very first thing most of you think of when you hear talk of computer security. A Windows Login Password is configured by a user (or their admin) and is required by Windows after the computer has booted but before a user may log into the computer. There is even a good chance you believe that a lengthy and complicated password here will protect your data. Unfortunately, this couldn’t be further from the truth. The Windows Login Password is one of the simplest forms of security to bypass and does little but protect you from a casual snoop. The fact of the matter is that setting a login password usually does nothing to encrypt your files or hard drive, and as a result, anyone with physical access to (this means possession of) your computer and a few basic tools would be able to copy your data, pictures, and documents, to another computer or external hard drive. Someone who steals your computer, or even has more than a few minutes with it unattended (like a house sitter or a weekend guest left alone), can easily get at your data by booting from an external flash drive or removing the hard drive and transferring the data to a different device. By itself, a Windows Login Password doesn’t do much for your security. You’d be safer to keep looking for other options if you want to have any reasonable privacy on your computer.
BIOS Password
Unless you’re in information security, there is a good chance you have never heard of this one. A BIOS password is a password that usually requires a computer user to enter a password immediately after they turn on a computer before the operating system will load. Because it is required before the operating system begins to load, it prevents hackers from taking advantage of vulnerabilities that exist in the operating system and can be used to obtain unauthorized access to computers. BIOS passwords are often slightly better than a Windows password alone, because you can use them to prevent most access to the computer. BIOS passwords can be configured to prevent loading the computer at all without the password, or to prevent booting from external media or making changes to the computer’s BIOS settings.
Unfortunately, BIOS passwords can often be completely circumvented by removing the CMOS battery for a few seconds or by accessing a special jumper on a computer’s motherboard called “clear CMOS” which resets all of a motherboard’s settings, including the BIOS password. The casual snoop or your brother-in-law may not know about this, so you don’t have to worry about intrusion from most of the common people who want access to your information, but if your laptop is lost or stolen there is a good chance that the potential identity thief will be able to get into your computer if you secure it with nothing more than a BIOS password. Additional methods are necessary if you wish to keep your files secure and private.
Encrypted Files or Folders
This is a pretty good way to secure your data if you have files or photos you’d prefer to stay private even if your computer is lost or stolen. By encrypting specific files or folders with proper encryption software such as Cryptomator (my first choice) or Veracrypt, it is possible for you to encrypt entire folders, partitions, or hard drives with military-grade encryption to ensure that your confidential data is secured from prying eyes. These types of software scramble the data so that it cannot (easily) be decrypted by anyone without access to your private keys or passwords. The downside of these types of software are that you become responsible for safekeeping your security keys and data. If you choose to start encrypting your data, it is considerably more secure, but you also make it easier for you to lose data if you are not deliberate about keeping a secure backup of your files in case something becomes damaged or corrupted. Every hard drive will eventually fail, so you should be backing it up on your own anyway, but this becomes especially important if you are encrypting the data because it is more difficult to recover data from a damaged, encrypted file-system than it is if the data is unencrypted. You should always print a copy of your recovery keys and store it in a safety deposit box or other safe place in case something happens to you or you forget your passwords or decryption keys.
If you are using a computer with Windows 10 Professional, it is very easy to encrypt your USB flash drive or external hard drive using Microsoft’s encryption feature, named BItlocker. Bitlocker will be easier to configure than either of the previous two options, and provides strong encryption that is easy to set up. The same warning applies to backing up your data, but the nice thing about Bitlocker encrypted drives is that you can pretty safely transport your data from home to work or work to home without worrying that someone will easily be able to access your data if you misplace the drive. Decrypting the files is as easy as plugging in the USB drive and typing in the BItlocker encryption password, which makes it a good blend of security and ease-of-use.
Encrypted Hard Drive
Compared to the other security options already named here, encrypting your entire hard drive is the safest and most secure way to keep your data safe. If you work in the healthcare delivery system or many branches of the government, you are probably already aware that encrypting your hard drives is a critical piece of data security. Using a combination of sophisticated encryption algorithms and complex encryption keys, it is possible to encrypt everything on your computer in such a way that you can be relatively safe that your data is secure from anyone not backed by the resources of a nation or other government. Full-disk encryption is possible with both Mac OS and Linux, and Professional editions of Microsoft Windows 7 and Windows 10 contain Bitlocker which permits full-disk encryption. Unfortunately this feature is not available to users who have Windows Home Edition, so if drive encryption is important or necessary, you may find that upgrading to Windows Professional is worth it. Bitlocker can be configured to use a combination of hardware encryption keys and personal keys (passwords) to encrypt and decrypt your data and can be configured to use a USB key or additional startup PIN for authentication to add an extra layer of protection. As with the other types of encryption described previously, it is important for you to make a deliberate copy of your backup or encryption keys and keep them in a safe place, because anyone with access to your hard drive and the backup of your encryption or recovery keys can decrypt and access your data.
Not every type of encryption is beneficial or even appropriate for every situation, but hopefully now that you have a little more information about what the different types are you will be able to choose the right options that balance your needs for privacy with the most appropriate solution. Please contact us if you have questions or comments about these options, or if you would like some help designing the right solution to best meet your needs.