Windows Legacy OS forum

General discussion

How strong is Windows XP user password?

by dc_2000 / December 9, 2008 4:00 AM PST

Hi everyone:

I have a laptop that I keep my customer data in - nothing extraordinary like bank accounts, credit cards, etc. - just people's names, addresses and such. All the data is located in My Documents folder in a custom software that does not have any good password protection. I set up a user account in Windows XP that is required to log in to my laptop. Moreover the My Documents folder for that user account is set to private and the laptop's screen saver that kicks in every 5 minutes is password protected. The password for the Windows XP user account is a 6-character combination, that is not a word in a dictionary.

I'm just curious, say if someone was to steal my laptop, how easy would it be for a hacker to break into my customer data with all the security measures I have? And, if what I have is not enough, how would you recommend to better protect my data?

Thank you in advance!

Discussion is locked
You are posting a reply to: How strong is Windows XP user password?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: How strong is Windows XP user password?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
WIthin minutes.
by MarkFlax Forum moderator / December 9, 2008 4:16 AM PST

Sadly, XP is not as secure as we like to think, and a professional hacker would be in and exploring around within minutes.

Even for an amateur, someone who just 'happens' to be passing by and finds your laptop in their possession, all they have to do is Google [u[XP Lost Passwords and they can get to a site like Windows Password, Administrator Password, Passware, spend a little cash, and obtain a utility to get into Windows.

If that information is meant to be secure, and most countries nowadays have Data Protection Laws, then you need to rethink your security procedures.

The best place for secure data is off the computer, onto some sort of removable media which is locked away until it is needed.

I hope that helps, and I am sure others here will have comments to make.


Collapse -
"Encrypt contents to secure data" option
by dc_2000 / December 9, 2008 4:55 AM PST
In reply to: WIthin minutes.

Thank you for your quick response. I do keep a back-up of my data, but again the software I use does not have any substantial means to protect the data, thus it sounds like what I will have to use is some third party (and hopefully Microsoft-provided) means to encrypt it. Honestly, I was under impression that the user password in Windows XP was a good security measure until recently someone told me otherwise. That is basically why I'm asking it here.

OK. I did some exploring and found out that if I right click on My Documents folder and then go to Properties and then click Advanced, there's a check box that says, . It is not checked now. I'm curious if I check it, will it help better secure my data? I'm also concerned whether it will significantly slow down my computer or not?

Thanks again.

Collapse -
if it something that *NEEDS* to be kept secure
by mementh / December 9, 2008 2:18 PM PST

if it something that *NEEDS* to be kept secure, and you have no money/not willing to spend.. get truecrypt which is free and can be used on removable drives and w/o the password its useless

Collapse -
True Encrypt
by dc_2000 / December 10, 2008 10:36 AM PST

Thanks. I'll give it a try.

Collapse -
Good enough!
by R. Proffitt Forum moderator / December 9, 2008 5:36 AM PST

But if you give me PHYSICAL ACCESS you broke one of the cardinal rules about computer security. Here's what I would use.

-> NTPASSWD (see

As to EFS that is a dead end with a trap laid for users. I can't count how many times I've seen people lock up that data and then lose it. It's not really lost as can get your files back for a fee. I hear there is a free tool but I'll stop here.

Why would you give me physical access to your PC?

Collapse -
Physical access
by dc_2000 / December 9, 2008 12:05 PM PST
In reply to: Good enough!

Well, I wouldn't give you the physical access. What I meant is that what if the laptop got stolen. I understand that in that situation any encryption can be broken. But I don't need that level of protection. Still what would you recommend me to do to protect my data files? Again, I cannot simply WinRAR them under password since those files should be accessible by my accounting software that reads them off the disk.

Collapse -
The good news is that thieves
by R. Proffitt Forum moderator / December 9, 2008 10:33 PM PST
In reply to: Physical access

Have had no interesting in mining your accounting data. However they would be very interested in what this next tool will give up.

Remember that if I have your PC I can get in with NTPASSWD. I would have no interest in your accounting files.

But I would head straight to this tool -> The protected storage explorer noted at

You don't have to read that discussion as I really want you to find this software at

Shouldn't you be more concerned about what's in the 'Protected Storage Area?'

-> Scary?

Collapse -
Protected area
by dc_2000 / December 10, 2008 10:34 AM PST

Well, first of all, I'm not sure why that web site with that software is still up. My anti-virus program caught and stopped that program immediately, so you wouldn't be able to run it remotely to retrieve all the passwords. As for the case when you physically have my laptop in your possession then you will have to be logged in to my account to retrieve all that data. I agree with you that one can reset my Windows XP Pro user password (dumb Microsoft product got fooled again - I'm curious if OS X is as unsafe as that?) - but what if I had my C:\Documents and Settings\User Name folder encrypted with the Encrypting File System. Then even if you got to log in to my user account all of the user data will be inaccessible anyway?

Collapse -
What you need to know.
by R. Proffitt Forum moderator / December 10, 2008 10:55 AM PST
In reply to: Protected area

Is that if you run the protected area viewer some antivirus programs catch it since you wouldn't want software to read it without your knowledge.

But you must find out what is in there so when you figure it out, this is the tool so you can remove those passwords and such you don't want on your PC.

It's your choice to clean it up or not.

-> In regards to True Crypt. Nice but it's a trap. If you use EFS, True Crypt or such and don't keep a backup copy that is unencrypted someday you'll remember why I warn about such things. I can't count how many times people lose the files they wanted to safe guard.

Collapse -
by dc_2000 / December 10, 2008 2:34 PM PST
In reply to: What you need to know.

>"if you run the protected area viewer some antivirus programs catch it since you wouldn't want software to read it without your knowledge."

Well, I see your point but I don't really trust such software. I mean, since it can show the sites and the log-in passwords what stops it from http'ing it to some hacker who wrote it?

>"If you use EFS, True Crypt or such and don't keep a backup copy that is unencrypted someday you'll remember why I warn about such things"

Yeah, I understand. I will back up my data. No arguments about it.

Can you tell me, if I use EFS for my "important" data folder, how secure is that protection? I mean how long would it take a dedicated hacker to break it if they physically have my computer?


Collapse -
We have a discussion about the
by R. Proffitt Forum moderator / December 10, 2008 9:22 PM PST
In reply to: ...

Protected viewer in our security forum. It's been discussed and if you elect not to look in the protected storage area you are leaving content you may not want on your PC ready for those that will.

As to EFS. I noted above about can recover EFS encrypted content. If you were to use EFS it's probable safer than TrueCrypt in the long run.

Hope this covers this well enough for you and you will look what's in the protected storage area before some one does.

Collapse -
by dc_2000 / December 11, 2008 5:21 AM PST

Thanks for your help, Bob. Now I have much more knowledge about Windows XP security than I had a week ago. I will definitely use the EFS encryption since at least it is built into the OS and I don't have to use some third party product (and slow down my computer even more).

As for that lostpassword dot com, I hope you're not associated with them, like the poster below that says that "truecrypt is uncrackable", which is a total baloney since any code can be broken into - it depends on how much time one wants to dedicate to cracking it.

Collapse -
Also note limitations of recovery ...
by Bill Osler / December 13, 2008 11:36 PM PST

The information at states:

EFS Recovery Key
To retrieve the files, the encryption password must be known or SAM database must be present.

I confess I don't know what a SAM database is but I gather this is a significant limitation if they put it in large print at the top of the page for the product they are selling.

Collapse -
by Nightmares0nwax / December 10, 2008 5:06 PM PST

truecrypt AES 512bit key encryption is uncrackable, it will format a space on your hard drive with ntfs which can then me mounted by truecrypt.

passwords recommended lenght is 10+ with numbers at the very least.

Collapse -
Oh, really?
by dc_2000 / December 11, 2008 5:26 AM PST
In reply to: truecrypt

>"truecrypt encryption is uncrackable"

Why are you saying that? Guys, I really don't care about someone's sales pitch.

Collapse -
AES security
by Slackenerny / December 12, 2008 5:46 PM PST
In reply to: Oh, really?

If the software really deploys AES 512 bit PROPERLY then it's very difficult to crack by today's computers. The big question mark of course is how well it is deployed (I have no idea since this must be some sort of commercial secret). As shown by WEP's failure, a safe cipher can be broken not because of its inherent weaknesses, but because of mis-implementation.

If you are using EFS, may I remind you that the data is also encrypted with AES anyway, so to an extent the cipher used by EFS and trueencypt are similar.

Collapse -
Windows security & truecrypt
by Ck87.JF / December 13, 2008 1:55 PM PST
In reply to: Oh, really?

Currently, that level of encryption used by truecrypt is uncrackable, though obviously one day it will be cracked.

Anyway, a few notes that haven't been mentioned yet.

A couple easy ways for someone to get to your information if it is not encrypted is to:
A) Use a Ubuntu live CD which can mount your hard drive and then read the entire contents of the hard drive, even your personal documents folder. I have used this in the past to copy a client's documents from their malware-ridden computer to another hard drive (it was too bad/slow to actually use the Windows OS).
B) Use Ophcrack, which is a Linux live CD that cracks Windows passwords under 15 characters long. It can even crack passwords with a combination of upper/lower case letters, numbers, and special characters. I have used this for some other clients to retrieve lost passwords.

Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?