Bitlocker - Make login passoword impossible to break with software.

ztplru

Honorable Member
Dear all,

Before you can help me here you must understand fundamentally what Bitlocker is about.

Bitlocker:
-------------------------------------------------------------------
The idea with Bitlocker is that you do not enter a bitlocker password when you boot up. Your TPM does this for you. As long as your hardware and bootloader hasn't changed, bitlocker will be seamless to you. So, yes, your PC is only as secure as your Windows password is in the event it is lost. I think this surprises many people when it comes to bitlocker.

However, if you pull your hard drive and put into another box, it will prompt for the 48bit recovery key.

Without encryption, if you left your laptop lying around, and I picked it up, and could not guess your password, all I have to do is pull the drive out, plug it into another computer and I have all of your data. Bitlocker protects against this scenario!
-------------------------------------------------------------------

Well it's obvious if someone steals my laptop, they will be able to break into the OS and get my data!

Any of you Windows 10 Gurus, or you that face the same scenario, know how to circumvent windows 10 login password from getting easily broken into?
Or another solution you can propose?
There is 3rd party software and ways to easily break it!

I can setup a PIN for bitlocker but i would prefer just the login password and nothing else if possible.


Your insight is truly welcome!
 

Neemobeer

Windows Forum Team
Staff member
The recovery key is the decryption key. This is stored in the TPM (if one is present) and the TPM will check a variety of attributes to make sure nothing has been tampered with. Logging into Windows will load the key in to memory and decrypt data on the fly. If the system is unlocked (aka logged into) someone could steal your data (this is call data in use) . When you pull the drive out you are prompted for the recovery key (aka the decryption key) which is stored in the TPM on the original hardware) without it the "data at rest" remains encrypted.



If someone steals the laptop they would have to brute force your password to gain access to the data. Offline password reset tools won't work since none of the data that needs to be accessed is encrypted and can't be modified by such tools
 

ztplru

Honorable Member
If someone steals the laptop they would have to brute force your password to gain access to the data.
Dear Neemobeer,

Kon-Boot and Windows Password Reset are utilities to achieve this. And i've read about ways to bypass the boot login etc.
This is apparently super easy, regardless if your password is strong.
This is what i am trying to fortify! If it's not possible i will have to setup a bitlocker pin.

Offline password reset tools won't work since none of the data that needs to be accessed is encrypted and can't be modified by such tools
I use local authentication. I don't have a Microsoft account to authenticate!
Please what did you mean by "none of the data that needs to be accessed is encrypted and can't be modified by such tools"?
Can you elaborate?
 

Neemobeer

Windows Forum Team
Staff member
Those offline tools require access to the SAM database which is stored on the bitlocker encrypted volume. It can't be modified since the data is encrypted.
 

ztplru

Honorable Member
Those offline tools require access to the SAM database which is stored on the bitlocker encrypted volume. It can't be modified since the data is encrypted.

By offline tools you refer to Kon-Boot for example?
So all in all you're saying with bitlocker active it's almost impossible to break the login password?
 

Neemobeer

Windows Forum Team
Staff member
Correct. There are known attacks on memory to steal the recovery key, but that only works when a system is on and logged into.
 

ztplru

Honorable Member
Correct. There are known attacks on memory to steal the recovery key, but that only works when a system is on and logged into.

Why would anyone set the bitlocker PIN then? To me from your explanation it's redundant and makes no sense.
It's an extra unneeded authentication.
 

Neemobeer

Windows Forum Team
Staff member
It's just additional options for securing the data. Adding multiple factors of the same time does add some extra security, but very little. Multiple factors should be used instead for added security.
 

ztplru

Honorable Member
It's just additional options for securing the data. Adding multiple factors of the same time does add some extra security, but very little. Multiple factors should be used instead for added security.
Thanks Nemobeer for sharing your expertise.
Much appreciated!
 
Top