Is it secure to Automatic Login to users accounts in XP?

Hi, I know a solution that can make users to automatic logon to their
accounts in XP. Please refer to:
http://kgiii.info/windows/XP/general/auto_login.html

I am wondering whether the automatic login is secure or not.
Does it make the OS more vulnerable for being hacked?


--
Thank you for your help!

Galen
Mon Nov 06 06:24:05 CST 2006

In news:uUcZVQZAHHA.5068@TK2MSFTNGP02.phx.gbl,
smith had this to say:

My reply is at the bottom of your sent message:

> Hi, I know a solution that can make users to automatic logon to their
> accounts in XP. Please refer to:
> http://kgiii.info/windows/XP/general/auto_login.html
>
> I am wondering whether the automatic login is secure or not.
> Does it make the OS more vulnerable for being hacked?

Answered already in the other section for you? Yes - if not from an external
source then from the more important souce which is someone sitting in front
of the computer with physical access.

--
Galen - MS MVP - Windows (Shell/User & IE)
http://dts-l.org/ http://kgiii.info/

"Chance has put in our way a most singular and whimsical problem, and
its solution is its own reward." - Sherlock Holmes

smith
Mon Nov 06 06:39:45 CST 2006

Well...My computer would not be accessible physically except myself. So,
without physical access, the automatic logon is safe enough?

--
Thank you for your help!
"Galen" <galennews@gmail.com> дÈëÏûÏ¢ÐÂÎÅ:usgy05ZAHHA.2328@TK2MSFTNGP02.phx.gbl...
> In news:uUcZVQZAHHA.5068@TK2MSFTNGP02.phx.gbl,
> smith had this to say:
>
> My reply is at the bottom of your sent message:
>
>> Hi, I know a solution that can make users to automatic logon to their
>> accounts in XP. Please refer to:
>> http://kgiii.info/windows/XP/general/auto_login.html
>>
>> I am wondering whether the automatic login is secure or not.
>> Does it make the OS more vulnerable for being hacked?
>
> Answered already in the other section for you? Yes - if not from an
> external source then from the more important souce which is someone
> sitting in front of the computer with physical access.
>
> --
> Galen - MS MVP - Windows (Shell/User & IE)
> http://dts-l.org/ http://kgiii.info/
>
> "Chance has put in our way a most singular and whimsical problem, and
> its solution is its own reward." - Sherlock Holmes
>

smith
Mon Nov 06 06:54:13 CST 2006

I have done what you said. But...I still wonder if the operation is an
automatic login with *remembered password*. It seems that it is a automatic
login without any password which is not any secure measurement for the
system login. Would it make Administrator account logined automatically
without any password?

Thanks.

--
Thank you for your help!
"Galen" <galennews@gmail.com> дÈëÏûÏ¢ÐÂÎÅ:usgy05ZAHHA.2328@TK2MSFTNGP02.phx.gbl...
> In news:uUcZVQZAHHA.5068@TK2MSFTNGP02.phx.gbl,
> smith had this to say:
>
> My reply is at the bottom of your sent message:
>
>> Hi, I know a solution that can make users to automatic logon to their
>> accounts in XP. Please refer to:
>> http://kgiii.info/windows/XP/general/auto_login.html
>>
>> I am wondering whether the automatic login is secure or not.
>> Does it make the OS more vulnerable for being hacked?
>
> Answered already in the other section for you? Yes - if not from an
> external source then from the more important souce which is someone
> sitting in front of the computer with physical access.
>
> --
> Galen - MS MVP - Windows (Shell/User & IE)
> http://dts-l.org/ http://kgiii.info/
>
> "Chance has put in our way a most singular and whimsical problem, and
> its solution is its own reward." - Sherlock Holmes
>

Galen
Mon Nov 06 07:36:36 CST 2006

In news:eOtmoKaAHHA.4212@TK2MSFTNGP02.phx.gbl,
smith had this to say:

My reply is at the bottom of your sent message:

> I have done what you said. But...I still wonder if the operation is an
> automatic login with *remembered password*. It seems that it is a
> automatic login without any password which is not any secure
> measurement for the system login. Would it make Administrator
> account logined automatically without any password?
>
> Thanks.

Automated login with or without a password is not secure at all. Even if you
are the only person who has access to your PC right now that's not
preventing anyone from accessing it when you're not there or from stealing
it and accessing your account (and files, information, banking information,
any saved passwords, etc) at their leisure.

The option that you've enabled - which automatically logs the profile
selected in - is the only option you have to enable the automatic
recollection of the profile password. There aren't any other options, be the
password blank or 256 characters and symbols long, it logs in automatically
and there's no security involved regardless. That means anyone who turns on
your PC can use it. With your account. With your information. A password as
strong as is possible is no good if it is taped to the monitor, under the
desk, or input automatically.

Using a password on the PC isn't going to do you any good for protecting vs.
remote attacks realistically. (Unless, of course, you have a WOL with a VNC
setup that loads pre-OS which would just be plain silly anyhow so we'll
ASSUME you don't have such.) Password protected accounts, EFS, and proper
permissions for the file system are the only defense you have built in with
the OS to keep your system physically secured. (EFS is a no-go with XP Home
by the way.)

If you want multiple accounts listed on the welcome page and want to be able
to log in to any of them without a problem then, well, just remove their
passwords - you can't make it autofill those passwords if that's your goal
but it will happily log you in (and be insanely insecure) simply by clicking
the account (and maybe hitting enter if it asks for a password) if you
simply remove the passwords. Again, doing so is really not the best
solution.

--
Galen - MS MVP - Windows (Shell/User & IE)
http://dts-l.org/ http://kgiii.info/

"Chance has put in our way a most singular and whimsical problem, and
its solution is its own reward." - Sherlock Holmes

Frank
Mon Nov 06 15:24:45 CST 2006

"smith" <@discussion.com> wrote in message
news:eOtmoKaAHHA.4212@TK2MSFTNGP02.phx.gbl...
>I have done what you said. But...I still wonder if the operation is an
>automatic login with *remembered password*. It seems that it is a automatic
>login without any password which is not any secure measurement for the
>system login. Would it make Administrator account logined automatically
>without any password?


Windows remembers your password anyway. Else how would it know you typed in
the correct password?

--
Frank Saunders, MS-MVP OE/WM
http://www.fjsmjs.com
Answer in newsgroup. Don't send mail.

Ian
Thu Nov 09 06:17:02 CST 2006

On XP Pro, user-accounts can also act as gateways to shared folders. Hence it
is better to have a password set and use automatic logon, than it is to leave
the account with no password. (Which potentially may expose shares to attack
across the LAN)

If setting autologon, remember to disable the forced 42 day password-change
as well, or else you've got what is effectively a concealed, ticking timebomb
on the computer!

The password is stored in encrypted form, and is reasonably secue. However,
it would be wise to make the autologon password distinct from any other
system passwords in case a way of 'harvesting' it is found (as has happened
to stored Outlook passwords)

BTW, typed-in passwords are NOT stored on the computer, they are compared
with a hash. The hash-comparison verifies that the correct password was
entered, but the actual password cannot be deduced from the hash.

http://en.wikipedia.org/wiki/Cryptographic_hash_function