Windows 11 Password
14 views
Skip to first unread message
Scott Livingston
Jan 24, 2026, 4:46:04 PMJan 24
to howthi...@googlegroups.com
Hello,
I need some help and input here please.
About a month ago, a client retired and took his laptop home from the domain environment to his home network. I offered for 1 hour labor to set it back up so that it was secure. He declined. 2 weeks later, his laptop was compromised and he lost a vast sum of money. Because the bad actor was able to log into his laptop, it didn’t have a timeout or lockscreen, whey were able to operate as him and siphon about $2M from his Vanguard account.
This caused me to audit all of my home users to see that at least the user accounts were password protected and that they timed out after 5 minutes.
That brings me to Fred. Fred refuses to have a password on his user account, and insists on it being an admin account. Without a password, there is no way to log the machine off. He has his wife’s PC and a couple other PC’s on the network which are vulnerable. He does his banking and all of his financial stuff on the laptop. He refuses to listen to reason. I have told him that it is not a matter of IF you get compromised, it is a matter of WHEN.
So my question for HTW is, what would you say to him? What would you say in the face of this? I am running out of patience.
Any input appreciated.
-ScottL
Scott Livingston
Arcane Computing, Inc.
"Who cares what you believe, "Said the captain, amazed.
"If you stood in my shoes Your eyes would be glazed."
-Neil Young/Greendale/Devil’s Sidewalk
https://www.youtube.com/watch?v=mqYNlJ1G_Ag
Paul Koning
Jan 24, 2026, 4:50:58 PMJan 24
to howthi...@googlegroups.com
I assume he doesn't have a firewall with essentially everything disabled, right? If he does, then things aren't totally bleak.
I would use an analogy. He left his checkbook and his wallet full of cash on the kitchen table, and his doors are never locked. Oh yes, and he lives in NYC.
If he does have a firewall, the analogy is similar but he does have a lock on his door. But he's still in NYC and he still leaves all his money out on the kitchen table.
paul
--
You received this message because you are subscribed to the Google Groups "howthingswork" group.
To unsubscribe from this group and stop receiving emails from it, send an email to howthingswor...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/howthingswork/00d301dc8d7a%24d5cde7c0%248169b740%24%40arcane-computing.com.
Scott Livingston
Jan 24, 2026, 5:07:04 PMJan 24
to howthi...@googlegroups.com
Paul,
He has a rudimentary firewall in his router. However, the method that the bad actors are using these days are port 80 clients that are taking control of the PCs without the user’s knowledge. I have had 2 other users walk into their offices (home) and seen activity on their PCs. That’s when I get the frantic phone calls.
Scott
To view this discussion visit https://groups.google.com/d/msgid/howthingswork/0C3A01CD-A011-4269-8CDB-F46327E351A7%40gmail.com.
joel.e...@gmail.com
Jan 24, 2026, 5:10:23 PMJan 24
to howthi...@googlegroups.com
If you have any business relationship with Fred that relies on his data being secure, or that could somehow boomerang back and make you appear some how at fault for any losses Fred may incur, you should be just as concerned about the risk to you.
Have you asked him why he refuses to have a password? It’s possible it is a reason that could be mitigated.
On Jan 24, 2026, at 4:50 PM, Paul Koning <pa0...@gmail.com> wrote:
I assume he doesn't have a firewall with essentially everything disabled, right? If he does, then things aren't totally bleak.
To view this discussion visit https://groups.google.com/d/msgid/howthingswork/0C3A01CD-A011-4269-8CDB-F46327E351A7%40gmail.com.
Scott Livingston
Jan 24, 2026, 5:19:29 PMJan 24
to howthi...@googlegroups.com
Thank you Paul. Maybe sometime tomorrow we can talk about this. You happen to know “Fred”.
Scott
From: howthi...@googlegroups.com <howthi...@googlegroups.com>
On Behalf Of joel.e...@gmail.com
Sent: Saturday, January 24, 2026 4:10 PM
To: howthi...@googlegroups.com
Subject: Re: [htw] Windows 11 Password
If you have any business relationship with Fred that relies on his data being secure, or that could somehow boomerang back and make you appear some how at fault for any losses Fred may incur, you should be just as concerned about the risk to you.
To view this discussion visit https://groups.google.com/d/msgid/howthingswork/032E82D8-3521-4F6E-9E81-02A6B88E7FDE%40gmail.com.
Scott Livingston
Jan 24, 2026, 5:21:05 PMJan 24
to howthi...@googlegroups.com
Or a Fred.
Dave Typinski
Jan 24, 2026, 7:24:16 PMJan 24
to howthi...@googlegroups.com
Was this intrusion due to a bad actor having physical access to the laptop? Or
was it something he downloaded and ran that ended up containing malware?
I tend to see the guy's point re passwords -- they're a PITA -- but not on a
machine that does banking or anything else important. That's the difference
between the world we live in and the world we /wish/ we lived in.
Sounds to me like he just received two million reasons to clean up his computing
security act. Either that or two million reasons for you to say to him, "Here's
your sign" Bill Engvall style. If losing $2m doesn't convince him, I doubt
there's anything you can say that would offer stronger encouragement.
--
Dave
On 1/24/26 16:46, Scott Livingston wrote:
> Hello,
>
> I need some help and input here please.
>
>
> About a month ago, a client retired and took his laptop home from the domain
> environment to his home network. I offered for 1 hour labor to set it back up so
> that it was secure. He declined. 2 weeks later, his laptop was compromised and
> he lost a vast sum of money. Because the bad actor was able to log into his
> laptop, it didn’t have a timeout or lockscreen, whey were able to operate as him
> and siphon about $2M from his Vanguard account.
>
> This caused me to audit all of my home users to see that at least the user
> accounts were password protected and that they timed out after 5 minutes.
>
> That brings me to Fred. Fred refuses to have a password on his user account, and
> insists on it being an admin account. Without a password, there is no way to log
> the machine off. He has his wife’s PC and a couple other PC’s on the network
> which are vulnerable. He does his banking and all of his financial stuff on the
> laptop. He refuses to listen to reason. I have told him that it is not a matter
> of IF you get compromised, it is a matter of WHEN.
>
> So my question for HTW is, what would you say to him? What would you say in the
> face of this? I am running out of patience.
>
>
> Any input appreciated.
>
> -ScottL
>
> Scott Livingston
>
> Arcane Computing, Inc.
>
> 847.804.3515
>
> www.arcane-computing.com <http://www.arcane-computing.com/>
>
> /"Who cares what you believe, "//Said the captain, amazed.//
> "If you stood in my shoes Your eyes would be glazed." /
>
> /-Neil Young/Greendale/Devil’s Sidewalk/
>
> /https://www.youtube.com/watch?v=mqYNlJ1G_Ag/
was it something he downloaded and ran that ended up containing malware?
I tend to see the guy's point re passwords -- they're a PITA -- but not on a
machine that does banking or anything else important. That's the difference
between the world we live in and the world we /wish/ we lived in.
Sounds to me like he just received two million reasons to clean up his computing
security act. Either that or two million reasons for you to say to him, "Here's
your sign" Bill Engvall style. If losing $2m doesn't convince him, I doubt
there's anything you can say that would offer stronger encouragement.
--
Dave
On 1/24/26 16:46, Scott Livingston wrote:
> Hello,
>
> I need some help and input here please.
>
>
> About a month ago, a client retired and took his laptop home from the domain
> environment to his home network. I offered for 1 hour labor to set it back up so
> that it was secure. He declined. 2 weeks later, his laptop was compromised and
> he lost a vast sum of money. Because the bad actor was able to log into his
> laptop, it didn’t have a timeout or lockscreen, whey were able to operate as him
> and siphon about $2M from his Vanguard account.
>
> This caused me to audit all of my home users to see that at least the user
> accounts were password protected and that they timed out after 5 minutes.
>
> That brings me to Fred. Fred refuses to have a password on his user account, and
> insists on it being an admin account. Without a password, there is no way to log
> the machine off. He has his wife’s PC and a couple other PC’s on the network
> which are vulnerable. He does his banking and all of his financial stuff on the
> laptop. He refuses to listen to reason. I have told him that it is not a matter
> of IF you get compromised, it is a matter of WHEN.
>
> So my question for HTW is, what would you say to him? What would you say in the
> face of this? I am running out of patience.
>
>
> Any input appreciated.
>
> -ScottL
>
> Scott Livingston
>
> Arcane Computing, Inc.
>
> 847.804.3515
>
>
> /"Who cares what you believe, "//Said the captain, amazed.//
> "If you stood in my shoes Your eyes would be glazed." /
>
> /-Neil Young/Greendale/Devil’s Sidewalk/
>
> /https://www.youtube.com/watch?v=mqYNlJ1G_Ag/
>
> --
> You received this message because you are subscribed to the Google Groups
> "howthingswork" group.
> To unsubscribe from this group and stop receiving emails from it, send an email
> to howthingswor...@googlegroups.com
> <mailto:howthingswor...@googlegroups.com>.
> --
> You received this message because you are subscribed to the Google Groups
> "howthingswork" group.
> To unsubscribe from this group and stop receiving emails from it, send an email
> to howthingswor...@googlegroups.com
> To view this discussion visit
> https://groups.google.com/d/msgid/howthingswork/00d301dc8d7a%24d5cde7c0%248169b740%24%40arcane-computing.com
> <https://groups.google.com/d/msgid/howthingswork/00d301dc8d7a%24d5cde7c0%248169b740%24%40arcane-computing.com?utm_medium=email&utm_source=footer>.
> https://groups.google.com/d/msgid/howthingswork/00d301dc8d7a%24d5cde7c0%248169b740%24%40arcane-computing.com
Mike Schietinger
Jan 25, 2026, 8:35:51 AMJan 25
to howthi...@googlegroups.com
Log in password and screen lock don't provide any meaningful security layers for a home user. They are ment to protect from physical access. If an external remote connection gets established they can get whatever they want anyway.
The current method is to set a new password and force a screen blank so they can work on the machine without interruption from the end user. User can't log in and the actor has full desktop. Or set a key logger and sniff everything without desktop. Usually both. Ever see a user with a password prompt they don't know? They put in every password they have ever used anywhere, so collect them and you have all the passwords. For everything in a list.
Mike
To unsubscribe from this group and stop receiving emails from it, send an email to howthingswor...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/howthingswork/697562AD.9030407%40typnet.net.
Scott Livingston
Jan 25, 2026, 9:04:26 AMJan 25
to howthi...@googlegroups.com
So Mike and Dave, you’re saying you don’t use a password on your workstations?
-ScottL
From: howthi...@googlegroups.com <howthi...@googlegroups.com>
On Behalf Of Mike Schietinger
Sent: Sunday, January 25, 2026 7:36 AM
To: howthi...@googlegroups.com
Subject: Re: [htw] Windows 11 Password
Log in password and screen lock don't provide any meaningful security layers for a home user. They are ment to protect from physical access. If an external remote connection gets established they can get whatever they want anyway.
To view this discussion visit https://groups.google.com/d/msgid/howthingswork/CAFO25dV28S_Pbc%2BZXkp8ke9oj0rZ4UTrnr6hzHYYDWbhV-EMsg%40mail.gmail.com.
Mike Schietinger
Jan 25, 2026, 9:08:29 AMJan 25
to howthi...@googlegroups.com
I'm saying a password on a home computer doesn't do anything. Our business computers use Windows hello authentication,
Scott Livingston
Jan 25, 2026, 9:18:46 AMJan 25
to howthi...@googlegroups.com
So you are saying that all home computers are insecure?
To view this discussion visit https://groups.google.com/d/msgid/howthingswork/CAFO25dVQv%2BPQDkJ-StG1FpjzAsydoGohTqQmZVsiw_cZAcU-6w%40mail.gmail.com.
Mike Schietinger
Jan 25, 2026, 9:29:02 AMJan 25
to howthi...@googlegroups.com
I mean every computer is inherently insecure. I would say that home users are what's insecure, not necessarily the computers.
Scott Livingston
Jan 25, 2026, 9:34:12 AMJan 25
to howthi...@googlegroups.com
But wouldn’t you say that not even using a logon password is just asking for trouble? I mean you’re just leaving the door open for a bad actor.
To view this discussion visit https://groups.google.com/d/msgid/howthingswork/CAFO25dXBwMQFAAvUUpcnzUJJZ2rYXfHEcO__Kf5NbGauYOdDMQ%40mail.gmail.com.
Mike Schietinger
Jan 25, 2026, 9:35:26 AMJan 25
to howthi...@googlegroups.com
How does the bad actor get in, that the password stops?
Scott Livingston
Jan 25, 2026, 9:43:11 AMJan 25
to howthi...@googlegroups.com
In the last 2 instances I’ve seen the machine was infected with a remote control client, whether by the user clicking on something or downloading something. Since the PC didn’t lock, the bad actor was able to do whatever they wanted until the activity was noticed by the user. My assumption is that if the PC was at least protected by a logon password the bad actor wouldn’t have free reign over the PC. That doesn’t take into account the remote client. I don’t know the solution to that one.
To view this discussion visit https://groups.google.com/d/msgid/howthingswork/CAFO25dUW3iMGjAjOviWzt0V_8nVSYJHUCWXy%3D8dpQcP7WDepzw%40mail.gmail.com.
Mike Schietinger
Jan 25, 2026, 9:53:16 AMJan 25
to howthi...@googlegroups.com
That's where you are mistaken, with the remote access, the password is irrelevant. The attacker already has full access to the machine and all its data and passwords. They can just inject a new local admin, password reset and go back in.
The question isn't how you mitigate after compromise, but how you prevent, detect, and lock down.
Look at something like Huntress which monitors computers for backdoors and when it detects one it shuts off the Internet to the machine.
Or you make the user shut off the computer every time they aren't sitting in front of it like my father in law does.
Mark Kinsler
Jan 25, 2026, 12:31:14 PMJan 25
to howthi...@googlegroups.com
Aren't there password-defeating programs? Long ago I entered a password I used to use a lot into what was said to be an on-line password evaluator that would tell you how long it would take to guess your password. I tend to use rather obscure combinations consisting of part numbers from electronic circuits I once used. Some of my earlier non-electronic passwords yielded solution times in minutes, if that. But my electronic passwords, they said, would take 31 years to solve.
To view this discussion visit https://groups.google.com/d/msgid/howthingswork/CAFO25dWMiPNVJo4kur_Y58su%3DEs9Yok%3DKp8bRVACEO2BTMcx1Q%40mail.gmail.com.
--
Mark Kinsler
512 East Mulberry Street
Lancaster, Ohio USA 43130
740-503-1973
Lancaster, Ohio USA 43130
740-503-1973
Paul Koning
Jan 25, 2026, 1:04:10 PMJan 25
to howthi...@googlegroups.com
> On Jan 25, 2026, at 8:35 AM, Mike Schietinger <mschie...@gmail.com> wrote:
>
> Log in password and screen lock don't provide any meaningful security layers for a home user. They are ment to protect from physical access. If an external remote connection gets established they can get whatever they want anyway.
I'm not sure what a "port 80 client" means. Is the PC accepting connections on port 80? That's obviouslly wrong unless it is meant to be a web server, and if it's a web server it shouldn't be a personal machine.
It's hard for me to give a good answer because on principle I do not use Windows (except on a work machine where I have no choice, and there the security is someone else's job). My home systems are Mac and Linux, and the firewall blocks almost everything inbound. And on top of that, I have a filter on my Mac that limits outbound connections (a nice utility called "Little Snitch). And I use passwords. And SSH access (which is quite limited in any case) uses public key authentication, refusing all username/password access.
paul
Dave Typinski
Jan 25, 2026, 1:51:39 PMJan 25
to howthi...@googlegroups.com
Clarification: PWs are a giant, annoying PITA -- but due to the reality of human
nature, PWs are absolutely necessary.
--
Dave
On 1/25/26 09:04, Scott Livingston wrote:
> So Mike and Dave, you’re saying you don’t use a password on your workstations?
>
> -ScottL
>
> *From:*howthi...@googlegroups.com <howthi...@googlegroups.com> *On
> Behalf Of *Mike Schietinger
> *Sent:* Sunday, January 25, 2026 7:36 AM
> *To:* howthi...@googlegroups.com
> *Subject:* Re: [htw] Windows 11 Password
> <mailto:howthingswork%2Bunsu...@googlegroups.com>
> > <mailto:howthingswor...@googlegroups.com
> <mailto:howthingswork%2Bunsu...@googlegroups.com>>.
> <https://groups.google.com/d/msgid/howthingswork/CAFO25dV28S_Pbc%2BZXkp8ke9oj0rZ4UTrnr6hzHYYDWbhV-EMsg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> <https://groups.google.com/d/msgid/howthingswork/MW4PR13MB5961B52D2AD6D541C998935D8592A%40MW4PR13MB5961.namprd13.prod.outlook.com?utm_medium=email&utm_source=footer>.
nature, PWs are absolutely necessary.
--
Dave
On 1/25/26 09:04, Scott Livingston wrote:
> So Mike and Dave, you’re saying you don’t use a password on your workstations?
>
> -ScottL
>
> Behalf Of *Mike Schietinger
> *Sent:* Sunday, January 25, 2026 7:36 AM
> *To:* howthi...@googlegroups.com
> *Subject:* Re: [htw] Windows 11 Password
> > <mailto:howthingswor...@googlegroups.com
> <mailto:howthingswork%2Bunsu...@googlegroups.com>>.
> > To view this discussion visit
> >
> https://groups.google.com/d/msgid/howthingswork/00d301dc8d7a%24d5cde7c0%248169b740%24%40arcane-computing.com
> >
> <https://groups.google.com/d/msgid/howthingswork/00d301dc8d7a%24d5cde7c0%248169b740%24%40arcane-computing.com?utm_medium=email&utm_source=footer>.
>
> --
> You received this message because you are subscribed to the Google Groups
> "howthingswork" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to howthingswor...@googlegroups.com
> <mailto:howthingswork%2Bunsu...@googlegroups.com>.
> >
> https://groups.google.com/d/msgid/howthingswork/00d301dc8d7a%24d5cde7c0%248169b740%24%40arcane-computing.com
> >
> <https://groups.google.com/d/msgid/howthingswork/00d301dc8d7a%24d5cde7c0%248169b740%24%40arcane-computing.com?utm_medium=email&utm_source=footer>.
>
> --
> You received this message because you are subscribed to the Google Groups
> "howthingswork" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to howthingswor...@googlegroups.com
> To view this discussion visit
> https://groups.google.com/d/msgid/howthingswork/697562AD.9030407%40typnet.net.
>
> --
> You received this message because you are subscribed to the Google Groups
> "howthingswork" group.
> To unsubscribe from this group and stop receiving emails from it, send an email
>
> --
> You received this message because you are subscribed to the Google Groups
> "howthingswork" group.
> To unsubscribe from this group and stop receiving emails from it, send an email
> to howthingswor...@googlegroups.com
> <mailto:howthingswor...@googlegroups.com>.
> To view this discussion visit
> https://groups.google.com/d/msgid/howthingswork/CAFO25dV28S_Pbc%2BZXkp8ke9oj0rZ4UTrnr6hzHYYDWbhV-EMsg%40mail.gmail.com
> <mailto:howthingswor...@googlegroups.com>.
> To view this discussion visit
> <https://groups.google.com/d/msgid/howthingswork/CAFO25dV28S_Pbc%2BZXkp8ke9oj0rZ4UTrnr6hzHYYDWbhV-EMsg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
>
> --
> You received this message because you are subscribed to the Google Groups
> "howthingswork" group.
> To unsubscribe from this group and stop receiving emails from it, send an email
> --
> You received this message because you are subscribed to the Google Groups
> "howthingswork" group.
> To unsubscribe from this group and stop receiving emails from it, send an email
> to howthingswor...@googlegroups.com
> <mailto:howthingswor...@googlegroups.com>.
> To view this discussion visit
> https://groups.google.com/d/msgid/howthingswork/MW4PR13MB5961B52D2AD6D541C998935D8592A%40MW4PR13MB5961.namprd13.prod.outlook.com
> <mailto:howthingswor...@googlegroups.com>.
> To view this discussion visit
> <https://groups.google.com/d/msgid/howthingswork/MW4PR13MB5961B52D2AD6D541C998935D8592A%40MW4PR13MB5961.namprd13.prod.outlook.com?utm_medium=email&utm_source=footer>.
Mark Kinsler
Jan 25, 2026, 7:34:39 PMJan 25
to howthi...@googlegroups.com
Okay. Now I am really lost. Right now, my computerized accounts are protected as follows. Bitarden has my various passwords, as does Firefox, at least some. Bank accounts and about everything else, including such assets like timesavers.com, butterworth clocks.com, and temu.com, are also password protected. How effective that is, I don't know. Shared funds are with Ramond James and several banks who know us.
I do not know what else I ought to be doing for protection. Our Wi-Fi has a firewall, created by Scott Livingston, but most Internet stuff is via Ethernet.
I have great respect for Scott, who has been looking after us for years, but Natalie and I are confused by the range of recent opinion on HTW. Thanks.
To unsubscribe from this group and stop receiving emails from it, send an email to howthingswor...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/howthingswork/69766638.7060908%40typnet.net.
Dave Typinski
Jan 25, 2026, 10:46:33 PMJan 25
to howthi...@googlegroups.com
If Scott set up your firewall, you can bet it's configured correctly.
You may, however, wish to stop letting Firefox remember passwords and user IDs
-- after all, you have Bitwarden for that. Letting Firefox store credentials is
defeating Bitwarden's purpose. There's always a possibility that a
vulnerability exists in Firefox that could let a web site steal that information
from Firefox's database. That possibility is remote, but do you really want to
roll those dice for the sake of convenience?
--
Dave
On 1/25/26 19:33, Mark Kinsler wrote:
> Okay. Now I am really lost. Right now, my computerized accounts are protected
> as follows. Bitarden has my various passwords, as does Firefox, at least some.
> Bank accounts and about everything else, including such assets like
> timesavers.com <http://timesavers.com>, butterworth clocks.com
> <http://clocks.com>, and temu.com <http://temu.com>, are also password
> <mailto:howthi...@googlegroups.com>> *On
> > <mailto:howthingswork%2Bunsu...@googlegroups.com
> <mailto:howthingswork%252Buns...@googlegroups.com>>
> > > <mailto:howthingswor...@googlegroups.com
> <mailto:howthingswork%2Bunsu...@googlegroups.com>
> > <mailto:howthingswork%2Bunsu...@googlegroups.com
> <mailto:howthingswork%252Buns...@googlegroups.com>>>.
> <mailto:howthingswork%252Buns...@googlegroups.com>>.
> <https://groups.google.com/d/msgid/howthingswork/CAOnJ3j28eW%3DJqkcwwsT_47AVomm0Aj08sv3DnBX9FosOCGqzQg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
You may, however, wish to stop letting Firefox remember passwords and user IDs
-- after all, you have Bitwarden for that. Letting Firefox store credentials is
defeating Bitwarden's purpose. There's always a possibility that a
vulnerability exists in Firefox that could let a web site steal that information
from Firefox's database. That possibility is remote, but do you really want to
roll those dice for the sake of convenience?
--
Dave
On 1/25/26 19:33, Mark Kinsler wrote:
> Okay. Now I am really lost. Right now, my computerized accounts are protected
> as follows. Bitarden has my various passwords, as does Firefox, at least some.
> Bank accounts and about everything else, including such assets like
> <http://clocks.com>, and temu.com <http://temu.com>, are also password
> protected. How effective that is, I don't know. Shared funds are with Ramond
> James and several banks who know us.
>
> I do not know what else I ought to be doing for protection. Our Wi-Fi has a
> firewall, created by Scott Livingston, but most Internet stuff is via Ethernet.
>
> I have great respect for Scott, who has been looking after us for years, but
> Natalie and I are confused by the range of recent opinion on HTW. Thanks.
>
> On Sun, Jan 25, 2026 at 1:51 PM Dave Typinski <dav...@typnet.net
> <mailto:dav...@typnet.net>> wrote:
>
> Clarification: PWs are a giant, annoying PITA -- but due to the reality of
> human
> nature, PWs are absolutely necessary.
> --
> Dave
>
>
> On 1/25/26 09:04, Scott Livingston wrote:
> > So Mike and Dave, you’re saying you don’t use a password on your
> workstations?
> >
> > -ScottL
> >
> > *From:*howthi...@googlegroups.com
> <mailto:howthi...@googlegroups.com> <howthi...@googlegroups.com
> James and several banks who know us.
>
> I do not know what else I ought to be doing for protection. Our Wi-Fi has a
> firewall, created by Scott Livingston, but most Internet stuff is via Ethernet.
>
> I have great respect for Scott, who has been looking after us for years, but
> Natalie and I are confused by the range of recent opinion on HTW. Thanks.
>
> On Sun, Jan 25, 2026 at 1:51 PM Dave Typinski <dav...@typnet.net
> <mailto:dav...@typnet.net>> wrote:
>
> Clarification: PWs are a giant, annoying PITA -- but due to the reality of
> human
> nature, PWs are absolutely necessary.
> --
> Dave
>
>
> On 1/25/26 09:04, Scott Livingston wrote:
> > So Mike and Dave, you’re saying you don’t use a password on your
> workstations?
> >
> > -ScottL
> >
> > *From:*howthi...@googlegroups.com
> <mailto:howthi...@googlegroups.com>> *On
> > Behalf Of *Mike Schietinger
> > *Sent:* Sunday, January 25, 2026 7:36 AM
> > *To:* howthi...@googlegroups.com <mailto:howthi...@googlegroups.com>
> > *Sent:* Sunday, January 25, 2026 7:36 AM
> > *Subject:* Re: [htw] Windows 11 Password
> >
> > Log in password and screen lock don't provide any meaningful security
> layers for
> > a home user. They are ment to protect from physical access. If an external
> > remote connection gets established they can get whatever they want anyway.
> >
> > The current method is to set a new password and force a screen blank so
> they can
> > work on the machine without interruption from the end user. User can't log in
> > and the actor has full desktop. Or set a key logger and sniff everything
> without
> > desktop. Usually both. Ever see a user with a password prompt they don't
> know?
> > They put in every password they have ever used anywhere, so collect them
> and you
> > have all the passwords. For everything in a list.
> >
> > Mike
> >
> > On Sat, Jan 24, 2026, 6:24 PM Dave Typinski <dav...@typnet.net
> <mailto:dav...@typnet.net>
> >
> > Log in password and screen lock don't provide any meaningful security
> layers for
> > a home user. They are ment to protect from physical access. If an external
> > remote connection gets established they can get whatever they want anyway.
> >
> > The current method is to set a new password and force a screen blank so
> they can
> > work on the machine without interruption from the end user. User can't log in
> > and the actor has full desktop. Or set a key logger and sniff everything
> without
> > desktop. Usually both. Ever see a user with a password prompt they don't
> know?
> > They put in every password they have ever used anywhere, so collect them
> and you
> > have all the passwords. For everything in a list.
> >
> > Mike
> >
> > On Sat, Jan 24, 2026, 6:24 PM Dave Typinski <dav...@typnet.net
> <mailto:dav...@typnet.net>
> <mailto:howthingswork%252Buns...@googlegroups.com>>
> > > <mailto:howthingswor...@googlegroups.com
> <mailto:howthingswork%2Bunsu...@googlegroups.com>
> > <mailto:howthingswork%2Bunsu...@googlegroups.com
> <mailto:howthingswork%252Buns...@googlegroups.com>>>.
> > > To view this discussion visit
> > >
> >
> https://groups.google.com/d/msgid/howthingswork/00d301dc8d7a%24d5cde7c0%248169b740%24%40arcane-computing.com
> > >
> >
> <https://groups.google.com/d/msgid/howthingswork/00d301dc8d7a%24d5cde7c0%248169b740%24%40arcane-computing.com?utm_medium=email&utm_source=footer>.
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "howthingswork" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to howthingswor...@googlegroups.com
> <mailto:howthingswork%2Bunsu...@googlegroups.com>
> > <mailto:howthingswork%2Bunsu...@googlegroups.com
> > >
> >
> https://groups.google.com/d/msgid/howthingswork/00d301dc8d7a%24d5cde7c0%248169b740%24%40arcane-computing.com
> > >
> >
> <https://groups.google.com/d/msgid/howthingswork/00d301dc8d7a%24d5cde7c0%248169b740%24%40arcane-computing.com?utm_medium=email&utm_source=footer>.
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "howthingswork" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to howthingswor...@googlegroups.com
> <mailto:howthingswork%2Bunsu...@googlegroups.com>
> <mailto:howthingswork%252Buns...@googlegroups.com>>.
> > To view this discussion visit
> >
> https://groups.google.com/d/msgid/howthingswork/697562AD.9030407%40typnet.net.
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "howthingswork" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> email
> > to howthingswor...@googlegroups.com
> >
> https://groups.google.com/d/msgid/howthingswork/697562AD.9030407%40typnet.net.
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "howthingswork" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > to howthingswor...@googlegroups.com
> <mailto:howthingswork%2Bunsu...@googlegroups.com>
> > <mailto:howthingswor...@googlegroups.com
> <mailto:howthingswork%2Bunsu...@googlegroups.com>>.
> > To view this discussion visit
> >
> > <mailto:howthingswor...@googlegroups.com
> <mailto:howthingswork%2Bunsu...@googlegroups.com>>.
> > To view this discussion visit
> >
> https://groups.google.com/d/msgid/howthingswork/CAFO25dV28S_Pbc%2BZXkp8ke9oj0rZ4UTrnr6hzHYYDWbhV-EMsg%40mail.gmail.com
> >
> <https://groups.google.com/d/msgid/howthingswork/CAFO25dV28S_Pbc%2BZXkp8ke9oj0rZ4UTrnr6hzHYYDWbhV-EMsg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "howthingswork" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> email
> > to howthingswor...@googlegroups.com
> >
> <https://groups.google.com/d/msgid/howthingswork/CAFO25dV28S_Pbc%2BZXkp8ke9oj0rZ4UTrnr6hzHYYDWbhV-EMsg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "howthingswork" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > to howthingswor...@googlegroups.com
> <mailto:howthingswork%2Bunsu...@googlegroups.com>
> > <mailto:howthingswor...@googlegroups.com
> <mailto:howthingswork%2Bunsu...@googlegroups.com>>.
> > To view this discussion visit
> >
> > <mailto:howthingswor...@googlegroups.com
> <mailto:howthingswork%2Bunsu...@googlegroups.com>>.
> > To view this discussion visit
> >
> https://groups.google.com/d/msgid/howthingswork/MW4PR13MB5961B52D2AD6D541C998935D8592A%40MW4PR13MB5961.namprd13.prod.outlook.com
> >
> <https://groups.google.com/d/msgid/howthingswork/MW4PR13MB5961B52D2AD6D541C998935D8592A%40MW4PR13MB5961.namprd13.prod.outlook.com?utm_medium=email&utm_source=footer>.
>
> --
> You received this message because you are subscribed to the Google Groups
> "howthingswork" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to howthingswor...@googlegroups.com
> >
> <https://groups.google.com/d/msgid/howthingswork/MW4PR13MB5961B52D2AD6D541C998935D8592A%40MW4PR13MB5961.namprd13.prod.outlook.com?utm_medium=email&utm_source=footer>.
>
> --
> You received this message because you are subscribed to the Google Groups
> "howthingswork" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> https://groups.google.com/d/msgid/howthingswork/69766638.7060908%40typnet.net.
>
>
>
> --
> Mark Kinsler
> 512 East Mulberry Street
> Lancaster, Ohio USA 43130
> 740-503-1973
>
>
>
>
> --
> Mark Kinsler
> 512 East Mulberry Street
> Lancaster, Ohio USA 43130
> 740-503-1973
>
> --
> You received this message because you are subscribed to the Google Groups
> "howthingswork" group.
> To unsubscribe from this group and stop receiving emails from it, send an email
> to howthingswor...@googlegroups.com
> <mailto:howthingswor...@googlegroups.com>.
> To view this discussion visit
> https://groups.google.com/d/msgid/howthingswork/CAOnJ3j28eW%3DJqkcwwsT_47AVomm0Aj08sv3DnBX9FosOCGqzQg%40mail.gmail.com
> You received this message because you are subscribed to the Google Groups
> "howthingswork" group.
> To unsubscribe from this group and stop receiving emails from it, send an email
> to howthingswor...@googlegroups.com
> <mailto:howthingswor...@googlegroups.com>.
> To view this discussion visit
> <https://groups.google.com/d/msgid/howthingswork/CAOnJ3j28eW%3DJqkcwwsT_47AVomm0Aj08sv3DnBX9FosOCGqzQg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Mike Schietinger
Jan 26, 2026, 8:35:15 AMJan 26
to howthi...@googlegroups.com
Scott and I, who know and respect each other professionally, are discussing the specific case of a Windows login password on a desktop in your home.
The broader issue of passwords on websites and services you use isn't in question, and my stance is that have a unique password on everything that matters at all. That you have 2 factor auth set up on any account that has a payment method saved in it. And that you protect Crown Jewel accounts like your with the absolute upmost security you can have.
With a hardware firewall, windows firewall, and standard home configuration, there are zero enabled external ports or services that someone could connect to. They can't access port 80 because you aren't running IIS and the firewall isn't open past NAT. You can't just SSH I to a computer without a password because SSH isn't running on the computer unless you specifically set it up.
What you can do is let some guy that says they work for Apple and you've been hacked install logmein and grant himself permanent access to your machine by clicking what he tells you to do so he can check your computer. Once you've done that he can make or change passwords at will, lock you out and do whatever he wants with all your logins.
It doesn't matter if you lock your door or not if you let people in when they knock.
To unsubscribe from this group and stop receiving emails from it, send an email to howthingswor...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/howthingswork/6976E396.90801%40typnet.net.
Paul Koning
Jan 28, 2026, 1:00:49 PMJan 28
to howthi...@googlegroups.com
> On Jan 25, 2026, at 10:46 PM, Dave Typinski <dav...@typnet.net> wrote:
>
> If Scott set up your firewall, you can bet it's configured correctly.
>
> You may, however, wish to stop letting Firefox remember passwords and user IDs -- after all, you have Bitwarden for that. Letting Firefox store credentials is defeating Bitwarden's purpose. There's always a possibility that a vulnerability exists in Firefox that could let a web site steal that information from Firefox's database. That possibility is remote, but do you really want to roll those dice for the sake of convenience?
Then again, vulnerability in Firefox is indeed a remote possibility -- after all, it is open source; the "thousand eyeballs" rule applies. I'd be far more worried about MS proprietary browsers, just as I am of anything Microsoft does because security just isn't in their DNA as the first thing to do.
paul
Dave Typinski
Jan 28, 2026, 2:10:22 PMJan 28
to howthi...@googlegroups.com
don't let FF or Windows remember /anything/ except the bare minimum to make the
OS work. All creds for external services get saved to Password Safe Portable on
a USB thumb drive that lives on my key ring, which is religiously backed up to a
local HDD, which is itself just a big TrueCrypt volume that's also religiously
backed up with the 3-2-1 rule.
--
Dave
Reply all
Reply to author
Forward
0 new messages