Bitlocker Security Questions

Newmann · 26 Dec 2022

I have windows 11 pro. I assume the answer to this is the same whether you have windows 10 pro or windows 11 pro right? I have bitlocker enabled last time with my local account. The moment I turn on my laptop, I have to enter my bitlocker pin. Then after that, I have to enter my local account password. My questions are

1. Assuming someone has access to my laptop when it isn't powered on... they need to know both my bitlocker pin and local password to get into my laptop right? Or if they get access to my bitlocker recovery key?

2. Assuming someone knows my bitlocker pin and enter it. Then they have to enter the local account password but does not know it. Can they access my account or not? I know back then with old windows 7, you if forgot your password, you could easily reset it. But this is completely different if you have bitlocker enabled right? But if someone has access to your laptop for a long time and knows your bitlocker pin but do not know your local account password, could they somehow brute force it or that isn't possible? They would take out your hard drive and plug it into their machine which would have the brute force machine/program or that isn't how it would work? Now if they don't even know your bitlocker pin... would it be impossible for them to brute force both the bitlocker pin and local account password or it is possible?

3. I turn on my laptop. Then enter my bitlocker pin. Then enter my local password to my account. Then I want to go outside for a bit not turn off my laptop as I will be planning to back soon. I then lock my laptop. When you do that, you are on this screen where when you press anything you need to enter your local account password to get in. If someone has access to my laptop when it is locked... can they get access to my laptop or not? Is locking my computer the same as the 2nd situation above where you just enter your bitlocker pin at startup but don't type in your local account password? Same thing right?

4. I heard of people putting malware/virus on people's computer if they can have access to your laptop for just 1 minute. Saw video where if you are at a local coffeeshop and are away from your computer for just a minute, someone could plug a usb drive with malware in it and then take it out and now you have malware. Now if you lock your computer while you are not there... are you still protected from any usb malware?

5. Same situation as above. But they have access to your laptop but do not know your bitlocker pin or local account password. Someone turning on your laptop but on bitlocker pin screen just plugging in a usb malware to your usb port does nothing right? It can't infect the usb ports on your laptop unless they access your computer?

zebal · 26 Dec 2022

If someone learns your bitlocker key and has physical access to your PC they will have no issues brute forcing your windows account, although it's not needed since they could also mount the drive to ex. linux live OS.

For bitlocker TPM is important, there were times when TPM wasn't a thing and there was a method but I forgot how it is called, where drive encryption keys would be kept in memory for a period of time if computer was recently turned off..

This means if someone stole your laptop soon after you turned it off, they may be able to learn drive encryption key by taking it from memory chip.

cereberus · 26 Dec 2022

You are missing an important step.

Put a password on the bios. Brute force cracking relies on users booting from a usb drive.

You can also disable usb ports and only enable them when needed but that is a hassle.

With strong bitlocker pin, strong password and strong bios password, it is virtually impossible to get access to drive.

Also keeping data in the secure password protected folders of onedrive provides an additional layer of protection.

Another approach is to keep all data on external drive.

In the end, the best protection is not to store data on pc in first place.

With all protection above enabled, it is virtually impossible to access data. It would take very sophisticated forensic data retrieval experts to get at data thereafter.

You average thief would just throw away drive, and would be stymied by a bios password.

Ok it is possible to reset bios password on some devices but it is not easy to do on laptops.

In the end, keeping your passwords safe and secure is your best protection.

I store them encoded on my my mobile phone in an innocuously named file.

A simple example of encoding is to store digits in reverse order e.g. London01# becomes #10nodnoL. You could advance digits by 1 e.g. Mpoepo12#.

I will obviously not disclose my scheme but I am extremely confident it is secure - somebody would have to steal mobile as well, bypass mobile security, crack my encoding etc.

Newmann · 27 Dec 2022

I don't know about the bios password. But if I don't do that... what about the situations I described?

Like if I want to go outside for a short while and leave my laptop turned on... I lock it. So you have to enter the windows password in order to get in. If someone has access to this laptop for as long as possible while it is in the lock state... can they brute force it or not? I assume not because this would require them to power off the laptop and then take the hard drive and put it in their computer? So now they also need to enter the bitlocker pin? Many people keep saying bitlocker key... I am mainly talking about the bitlocker pin more so here.

If someone has access to my laptop and it is turned off but has the bitlocker recovery key... that is the same as knowing my bitlocker pin and my windows password to get access to my computer right?

But can someone put malware with a usb on my laptop though if my laptop is turned on and locked? Example imagine i am in cafe and leave my laptop there but lock it. If someone has access for a minute to it... can they put a usb in my usb port and put malware in it? I saw a video about this where someone can put malware on your laptop if you are gone for 1 minute. But if your laptop is locked... can they compromise your laptop? What if your laptop isn't turned on and they turn it on but don't know the bitlocker pin at startup and can't even get by that? Would a malware with usb flash drive infect the computer? Then after that... they turn off laptop. Then wait till someone use the computer again and now they can detect keystrokes and everything or that wouldn't work if the laptop isn't in the account?

cereberus · 27 Dec 2022

We answered your questions. Why do you keep repeating them?

If you want a pc that is fully unhackable, do not use internet, and never leave it unattended or lock it in a secure place.

All security measures are deterrents not absolute guarantees.

So I repeat yet again:

1) bitlocker pin is first level of defence - user has to enter that even if there is a tpm.

2) Bitlocker password - this protects pcs without tpm. If user has tpm, pc will inlock automatically but if drive is stolen, you need password.

3) windows password - obviously strong password. PIN is also more secure for online hackers.

4) do not store critical data on pc - store on removable drives locked on secure place when not needed.

5) bios password - obviously to stop people booting from usb drives to brute force windows passwords. Again, there are ways to get round it but difficult unless real expert.

6) KEEP ALL PASSWORDS SAFE. Invest in a safe if you have to write them down in case you forget them.

Beyond the above, there is little one can do other than investing in other professional security hardware types of tools such as used by agencies as MI5. There is one tool here that is easy to use to get such information - www google.com.
.

Newmann · 28 Dec 2022

Not using the internet would not be possible.

The thing is if I leave my laptop shut down... I know if someone has access to my laptop for as long as possible... they can't access my files unless they have my bitlocker pin and windows password or the bitlocker recovery key itself. So if they don't have access to those things, then my laptop files are safe right? Could a person brute force my hard drive and brute force the bitlocker pin and windows password if they have as much time as possible?

Well the thing is few times when I go outside, I might be out for few hours or less. I want to come back and continue to use my laptop as is without having to shut it down and power it on when I come back. So my question was... is it safe just locking it? If you do that... the person need your windows password only compared to bitlocker pin and the windows password. But is that good enough or not.

If you do not have a bios password and just bitlocker pin and windows password... can someone put malware in your laptop with a usb if they have your laptop but it isn't turned on?

If you do not have a bios password and just bitlocker pin and windows password but your laptop is in the lock screen... can someone put malware in your laptop usb flash drive. Example you are in a coffee shop and go do something for a minute but lock it. Can someone next to you connect a usb flash drive with malware and infect your computer in a minute or this isn't possible because it is locked. That is the important question here.

OldGuyFromCdn · 28 Dec 2022

Leave a sticky note on it that reads: "Hackers: there is nothing on here worth stealing or messing with so don't waste your time."

zebal · 28 Dec 2022

OldGuyFromCdn said:

Leave a sticky note on it that reads: "Hackers: there is nothing on here worth stealing or messing with so don't waste your time."

This is actually not a bad idea.
However it wouldn't work against a thief, laptop itself is worth something

Newmann · 03 Jan 2024

So if I lock my windows 11 pro laptop... if someone has access to my laptop even for a minute, can they put malware or anything like that on it when I'm not there?

Example, let say I want to go out to the supermarket for an hour or so. I rather keep my laptop on when I come back so I don't have to turn it off and on again. Normally I would just control alt delete and lock it. So the only way to get on my laptop is enter my windows 11 pro password.

If someone had access to my laptop, can they access my laptop files or not? The thing is assuming they don't have my bitlocker recovery key... can they do anything at all? Obviously if your laptop is turned off, it's much harder as they would need both the bitlocker pin and windows 11 pro password right? However, if my laptop is locked, could they put a usb with malware and plug it into my usb port or that wouldn't work because my laptop is locked? I know there is a big difference between a locked computer and a locked computer that has bitlocker which is what I have. Someone mentioned about doing something with the BIOS. But is that necessary or not? I want to know in my situation, is this enough? I basically want to make sure if my laptop is in locked mode like when I go outside for a bit, that someone if they had access to my laptop even for a short time, can't put any malware or do anything on it.

cereberus · 03 Jan 2024

Bitlocker protects drive when removed from pc e.g. you have set up secure passwords to login.
If hacker gets access to pc e.g. weak password, bitlocker does not normally add any protection as normal setup is bitlocked C drive autounlocks if user logs in.

If laptop is left alone, and running without being locked, nothing can stop a casual person with access to pc doing nefarious things to pcs

Regarding hackers, using a pin rather than a password is even more secure as hacker cannot access pc remotely.

So strong login password is your best defense and using a PIN.

Never leave pc unattended in running, not locked state.