Tuesday, May 26, 2015

security - Windows XP: Consequences of setting a password for an account


I do not quite understand how Windows (specifically Windows XP) handles accounts with/without passwords.


As far as I can see, on a fresh Windows XP install I have one default account which



  • has admin rights

  • does not have a password

  • will auto-login (without password prompt) when the computer boots


What happens if I set a password for this account?
Will it still auto-login? Or will it always prompt for the PW?


And generally, what consequences does it have if I set a password? I noted that Scheduled Tasks apparently cannot run under an account w/o password (creating a scheduled task will prompt for the account PW). Is there anything that will not work with a password set? Why is it even possible to have accounts without a password?


I have some Unix/Linux background, but the concepts appear a little different under Windows.


Answer



The other consequence, is that your account can be used to connect to the computer over the network. By default, Windows XP (and later), accounts with no password cannot be used to access the computer from the network. So it closes off any external attacks; in that way it is better than an account with a weak password.


For that reason it is sometimes recommended to have user accounts with no password at all.


As for why I can see a number of reasons:



  1. Windows XP was the transition for mainstream users from Win 9x that didn't have any passwords.

  2. Some people could be confused by having a password (or the whole idea of accounts), forgetting the password, etc.

  3. The computer doesn't need a password. That is there is nothing important enough to protect. (And due to the network lockout, it can only be accessed physically. If that's a home machine it means that the attacker is already in your house)


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...