Iâm trying not to get my personal details, er, hijacked if my laptop is stolen. Is there any way I can protect myself, assuming a decent password is no defence? Iâm running Windows 7 Pro. Steve
How much security do you need, and how much are you willing to pay for it? The answers will depend on what kind of information you want to protect, where the information is stored and who you are protecting it from.
For example, if you have thousands of secret government documents and the CIA, FBI and MI5 are on your tail, then you will need to take serious precautions. These will cover your email communications and browsing data, as well as the physical security of your laptop.
People in the medical and financial industries also have to take extreme care of laptops that contain other peopleâs personal data, because they can be fined for losing it. But if your laptop is for personal use only, whatâs the actual risk, and how can you minimise it?
My own approach has changed over the years. In the 1990s, my laptops had most of the same software and data as my desktops. Nowadays, I take the view that a laptop can be more or less empty, apart from Microsoft Office and certain utilities. If I need more data, I can store it in the cloud, or log on to my desktop PC remotely.
International travellers, especially journalists, are easy targets for police state operations, including the UKâs. You basically have no rights, and youâre unlikely to get any legal advice. I prefer to be in a position where I have nothing to hide, and if my Â£150-to-Â£350 Windows laptop is confiscated or stolen, I really donât have to care. I can easily buy another, log on with my Windows Account, and say: âset it up like thisâ (picking the stored profile of the old one).
Passwords and encryption
If someone has physical possession of your laptop, passwords are not much help. They can use a guest account (unless you disabled it), boot your PC with a different operating system (Linux), or remove the hard drive and install it in another PC. Encryption is the only viable defence.
The Intercept has a useful article, Encrypting Your Laptop Like You Mean It, which covers Windows, macOS/OS X and Linux. It points out that full disk encryption (FDE) doesnât protect you against malicious websites and viruses, nor does it stop internet surveillance. Even a fully encrypted laptop can be hacked using, for example, the âevil maidâ attack.
Of course, if you go for FDE, you must remember your password, or you lose access to your PC. It may therefore be safer to encrypt important files and folders, which you will obviously have backed up somewhere else.
You can do this with Windows 7 Proâs built-in encrypting file system. Right-click the file or folder, select properties, and click the advanced button to bring up the sheet called âadvanced attributesâ. The bottom half offers two options: âCompress contents to save disk spaceâ and âEncrypt contents to secure dataâ. This doesnât ask for a password: it uses a file encryption certificate, which you have to back up to a USB key or similar. Messing around with certificates is tedious …
You can also do the job with VeraCrypt, or â my preference â with a file compression/archiving program such as 7-Zip, PeaZip, WinRAR and so on. For maximum security, you should use a recent archiver that supports 256-bit AES encryption. Manchester University has a handy guide to using 7-Zip (PDF).
As the university points out, you should use Microsoft Officeâs built-in encryption for Office files.
Biometrics and authentication
Governments and large corporations often use biometrics and two-factor authentication (2FA) to increase security. Some laptops have had built-in fingerprint readers since the turn of the century, and AuthenTec shipped 100m fingerprint sensors before Apple bought the company. Various laptops have also shipped with face- or iris-recognition programs that use built-in webcams.
Ideally, the biometric should be linked to the encryption system. For example, Dellâs Digital Persona Fingerprint Suite provides one-touch log-ons and also adds the option to encrypt and decrypt files.
Today, face- and fingerprint-based authentication are included in Windows Hello, which is an important part of Windows 10. Itâs part of the increased security that prompted the US Defense Department to start moving to Windows 10 as rapidly as possible. If your laptop doesnât have an Intel RealSense-compatible camera or suitable fingerprint sensor, this will not help you, but itâs worth bearing in mind if you upgrade.
Two-factor authentication is becoming increasingly popular. It is usually based on something you have, plus something you know. The most familiar example is a bank card and a pin. For many years, some business laptops have used slot-in smartcards for extra security, or small gadgets that generate the required pin.
Today, 2FA is often based on using a smartphone. For example, to confirm a Microsoft, Google or a Twitter account, the company sends you a passcode in an SMS message.
The obvious next step would be to use a smartphone to secure your laptop. One example is the Rohos Logon Key, which works on Windows PCs and Macs.
Rohos also offers a system that lets you log on to your laptop using a USB thumb drive as a security token. Alternative systems include KeyLock and USB Raptor. However, Iâve never used any of these. Worse, Iâve never seen anyone else use them either.
Email and web security
If thereâs any compromising data on your laptop, you can remove, encrypt or otherwise hide it. The problem is that someone who can access your laptop may also have access to your email and all the websites you use, including Facebook, Twitter and Amazon.
This problem is usually that passwords are stored, for convenience, in the browser. The solution is to remove them and either remember passwords separately, or use a master password or password manager. For instructions, search for âmanage passwordsâ and the name of your browser.
Email is also risky. Your mailbox probably contains lots of information that would be useful for identity theft. It may include emails containing plain text passwords, and someone with access to your email address can get other account passwords reset. Further, your email password may provide direct access to many other services including cloud drives (OneDrive, Gdrive etc), camera rolls, blog sites and other personal stuff.
You may be able to avert the worst even if your laptop is stolen. For example, Prey is a free program that lets you track the location of a stolen Windows or Linux PC, a Mac or Android device. The paid-for Personal version also allows âremote wipeâ for three devices for $5 (Â£3.80) a month.
Windows 10 includes âfind my deviceâ tracking as standard, but it doesnât have âremote wipeâ. Also, it wonât stop the thief from doing a factory reset then selling your laptop, though that may be the least bad outcome from your point of view.
Have you got another question for Jack? Email it to Ask.Jack@theguardian.com