... darkrealms ...

Forums before death by AOL, social media and spammers... "We can't have nice things"

alt.comp.os.windows-11

Steaming pile of horseshit Windows 11

4,969 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 3,989 of 4,969

Maria Sophia to Frank Slootweg

Re: Any point to password protecting the

24 Jan 26 21:33:04

   XPost: alt.comp.os.windows-10   
   From: mariasophia@comprehension.com   
      
   Frank Slootweg wrote:   
   > Brian Gregory  wrote:   
   >> On 22/01/2026 15:59, Maria Sophia wrote:   
   > [...]   
   >>> My model is simple and well thought out to be optimized for convenience.   
   >>> 1. Encrypt the small amount of data that matters.   
   >>> 2. Keep it in Veracrypt containers or a password manager.   
   >>> 3. Do not rely on BIOS passwords or biometrics for data at rest.   
   >>> 4. Optimize for convenience during daily use.   
   >>   
   >> My BIOS password is just another small obstacle in the path of a bad actor.   
   >   
   >   A *BIOS* password indeed a - IMO not so - 'small' obstacle, but, as I   
   > mentioned, it's the *boot* password which adds essential protection.   
   >   
   >   So the BIOS password prevents booting from for example a Linux USB   
   > stick (and accessing the disk that way) and the boot password prevents   
   > booting Windows. After that, sign-in protection prevents signing in and   
   > encryption (full or partial) prevents access to essential private data   
   > (in case the 'drive' is removed from the system).   
      
      
   As Frank implied, A BIOS or UEFI password controls the firmware settings   
   and the boot path. A boot password controls whether the OS can load.   
      
   Both are useful obstacles, but I would like to make sure all who are   
   reading this are aware that neither protects data at rest once the drive is   
   removed (which would happen in an aforementioned "burglary situation").   
      
   The only layer that protects data at rest is encryption of that data.   
      
   a. That can be BitLocker with a pre boot PIN, or VeraCrypt with pre boot   
      authentication, or any system where the encryption key is not released   
      until a password is entered.   
      
   b. Once the drive is out of the machine the BIOS password, the boot   
      password, and the OS sign in password are no longer in the path. The   
      attacker is facing the encryption key, not the firmware or the OS.   
      
   c. That is one reason why my own model focuses on encrypting the small   
      amount of data that matters and keeping it in VeraCrypt containers   
      or a password manager (such as KeepassXC is).   
      
      For me, it is simple and it avoids relying on layers that do not   
      protect data at rest.   
      
   However, none of this says BIOS or boot passwords are useless.   
   They are useful obstacles.   
      
   They just solve a different problem than the one I am describing, which is   
   solved by container storage of private data & of user password information.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)

[ << oldest | < older | list | newer > | newest >> ]