Bit-locker Encryption / Cracking Windows Password

Hello all,

Looking to implement Bit-Locker Encryption at my company. I've found you can actually add a pin to be used at the boot screen thus adding more security. I was wondering if I just use the encryption and don't use the pin at boot would this leave open a hole for someone to use a Windows Password Reset memory stick to crack the windows password and be able to login on the PC/Laptop.

Would having a pin on boot stop this from happening?

It just seems to me adding a pin is going to be more of an inconvenience than a security feature?

Any feedback welcome.

PolarNettles said:

Yes, if you don't use a PIN then the drive automatically unlocks upon boot and you get to the normal login screen where any password recovery tools will work as usual.

Thanks for that. So how would the drive show if the pin was disabled for example, I unplugged the drive and put it in another machine? What would happen/show?

D3LL said:

Hello all,

Looking to implement Bit-Locker Encryption at my company. I've found you can actually add a pin to be used at the boot screen thus adding more security. I was wondering if I just use the encryption and don't use the pin at boot would this leave open a hole for someone to use a Windows Password Reset memory stick to crack the windows password and be able to login on the PC/Laptop.

Would having a pin on boot stop this from happening?

It just seems to me adding a pin is going to be more of an inconvenience than a security feature?

Any feedback welcome.

BitLocker is designed to protect the data at rest, just like any other full drive encryptions. Without starting the OS residing on the encrypted drive, the data cannot be accessed, even if the drive in itself can be.

The PIN will not stop the system from booting, if allowed in the BIOS, the PIN is for decrypting the drive at system start up. Booting the system to a password reset sticks/CD will work, but will not be able to recover account passwords from the BitLocker encrypted drive.

As for inconvenience/security feature...

Without PIN, the BitLocker encrypted drive will load the OS and presents the login prompt. At this point the system has all services, including network active. So, I could take your BitLocker encrypted laptop, hook it up to my network and have my ways with it. Not to mention the direct memory access requirement for fire-wire port, that could be exploited to access the memory that loaded at boot up.

It seems that you'd want to remove two different level of authentication and simplify management for encrypting company devices. Maybe you can have your cake and....

There are third-party companies that can integrate domain authentication with BitLocker encryption, like this one:

Secure Disk for BitLocker - Safeguard Add-On for Microsoft BitLocker

There are others as well and it really depends on the financial funding available for such third-party solution. If you have any regulatory requirements for encrypting the drive, they pretty much explicit description for compliance. You could use that to convince the bean-counters to approve funding for such.

Thanks for the input/feedback all.