If you work in an office environment with mandatory BitLocker usage, it's common for IT to enable a Group Policy where the lockscreen idle timeout is set as 5-10 min. While it's annoying, it limits the ability for someone to access your PC while you step away. Security is enhanced by combining the two features.
So you are saying even if my laptop is locked and I go outside for a short while, my laptop is safe as long as the windows password is strong? Would it even be possible for a hacker to brute force your windows password? The issue is this. If they get your laptop or take out your hard drive after turning off your laptop... well now they going to need your bitlocker pin and windows password compared to only windows password. So can they use program to brute force the bitlocker pin and windows password in their spare time?
Well if your laptop is left alone and not locked, obviously anyone with access to the laptop even for a short time can do bad things to it. But you locking it is enough or is there still concern about them getting in BIOS somehow? The bigger concern here would be say I go out for few hours and come back. And say they installed some malware or trojan or keylogger on my laptop. Can they still do that with my laptop being locked or not? What about plugging a usb flash drive with malware into it? Now would it be the same answer if it is locked compared to laptop turned off?
Well when I turn on laptop, I have to enter the bitlocker pin. Then enter the windows password. That is the correct way right? I have had it like this for a while. Again my concern is if someone does something to my computer and I'm not aware of it. So is it safe to leave my laptop on and locked and come back hours later?
Brute force windows password is possible but the stronger the password, the more difficult.
It is a good idea to set a bios password as well which makes it even harder.
Brute forcing bitlocker is almost impossible to mere mortals.
So:
1) Strong Windows Password and PIN (important as hacker would need access to pc)
2) Bios password to stop hacker getting to bios and booting from hacking tools (again they need access to pc)
3) Bitlocker logon PIN (you cannot access pc without entering Bitlocker PIN (this is not the same as Windows PIN)
4) set bios so it will not boot from usb drives.
Of course, the safest protection is to keep critical data on separate bitlocked external usb drives or similar.
With all of above, laptop is as secure as you can make it short of investing in hardware based security systems (only corporations with really critical data e.g. companies involved in fefence contracts, lawyers etc. invest in this level of protection - not cheap).
As a minimum, strong Windows password and PIN is important.
If really worried, seek advice from professional security experts.
ANY response on this forum (INCLUDING MY OWN) are simply opinion/suggestions, and it is UP TO YOU to educate yourself in suggested solutions and pros/cons. DO NOT ASSUME that I or others are 100% correct.
There are many web articles discussing security.
When you say windows password and PIN... what do you mean by PIN? This isn't the bitlocker pin correct? There is the bitlocker pin and windows password. But I know you could also have a bitlocker password instead of a pin. But to make it simple, say there is bitlocker pin at startup. Then you have to enter the windows password.
So if my laptop is powered off and a thief got my laptop and has as much time as they can to brute force my laptop, can they do it or not? This is assuming I have a bitlocker pin and windows password. Also I did not set a BIOS password. I didn't want to bother with this as this seemed confusing and the more things you do, you probably can lock yourself out right? But what about me also not setting bios so it will not boot from usb drives?
Now in the other situation is when I already logged into my laptop with my bitlocker pin and windows password. Now I control alt delete and lock it as I am going to go outside for few hours and don't want to turn off my laptop and turn it back on when I come back. In this situation... let say a thief got access to my laptop for a few hours but I had no clue about it. Let's assume by the time I come back, the laptop is where it is at and looks like how it was before I left. Can they brute force or get in my laptop in those few hours? Can they put malware in my laptop by plugging in a usb with malware which takes 1 minute to put in? I heard this is possible if the computer is open etc. But what if it's locked? Can malware get into the usb port while your laptop is in the lock state?
Also when you say set up bios so it will not boot from usb drives. Are you saying if you do this... when you are using your laptop, you can't plug in a usb flash drive? Or you mean only if you plug it in at startup? Again the last thing I want is to do so many things where it isn't necessary. I know bitlocker pin and windows password is very important which I did. But is it necessary to do the other 2 things you mentioned? The BIOS password and the set BIOS so it will not boot from usb drives?
Also if a thief gets access to my laptop in the lock state.... if they wanted to attempt to brute force it, they have to remove the hard drive from laptop right and plug it into their system? They can't just connect something to my laptop at the lock state to brute force it right? Now if they want to brute force it, well now they have to power off my laptop. Then take out the hard drive. But now instead of just having to know the windows password, well now they have to know the bitlocker pin which makes it miuch harder. Is that correct?
I think the only answer that's going to satisfy you is to put your laptop in one of these every time you leave it unattended.
Quote