Windows XP - Can I have a user without a password and have that system secure in public network?

I have an old Windows XP OS desktop I use for POP3 and SMTP email only
Is there a way I can keep a user with no password and  yet keep the system secure?
What I mean is - Is it absolutely necessary that every Windows User must have a windows password? The default is no password. I am hoping that so long as I am not using
Remote Terminal  or network shares on my Windows XP SP3 desktop that it will remain secure
I use this for my email almost soley and do not intend to be installing any network software other than the THE BAT by RITLABS.COM  software so please let me know if this is a problem from a security standpoint. I am not talking about the Administrator just a single user and

perhaps there is a way to simply strip any remote access by a specific user and handle the issue that way?
Robert SilverSr. Software EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Larry Struckmeyer MVPCommented:
Can  you explain why you would not want a password for local users?  Can you lock up the system in a secure area?  Are you concerned that someone from the internet might access the system from outside if there is a local user with no password?

What is at stake if an untrusted person gains access to the system?  If only some bits and bobs, then no matter.  if the password to the vault that holds the recipe for digestive biscuits, then maybe.
Fred MarshallPrincipalCommented:
I don't understand what having a password does that's objectionable.
A user can have a password and NEVER need to use it overtly.

The real issue with Windows XP is that it is becoming increasingly vulnerable.  I don't think that passwords have much to do with that really.  It remains to be seen what kinds of vulnerabilities emerge.
JohnBusiness Consultant (Owner)Commented:
Is there a way I can keep a user with no password and  yet keep the system secure?

NO. Dead simple to hack into.

Can I keep XP secure?  

 Not any more. operating system holes will never again be patched.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Fred MarshallPrincipalCommented:
I'd be interested, and I'm sure you'd be interested in view of your question:

Under what conditions can a computer be hacked with or without a password?
I'm thinking that the computer is on a LAN  / a private network and NOT on a public network.
I'm thinking that telnet is disabled (a common situation as it has to be overtly ENabled).
How to access then?

Clearly, no password is the ultimate of simple passwords.  Yet, it is a password called [blank].
The question then really, is what is the hacking mechanism that simple passwords are vulnerable to on a private network without telnet?
I just don't know the answer so I ask.
Robert SilverSr. Software EngineerAuthor Commented:
Interesting response. I have a screen saver on the system and constantly need to access it physically so  I know the importance of a password - What I trying to do here is not have one and feel safe from remote access
If Windows was set up properly this would never be an issue mainly  no remote access via the network period then I could feel free not to have a password on one specific user I tend to use on the unit.

Microsoft does so little to protect us from malware and viruses it makes me sick but that being said
I would not mind making this machine only  connectable via ports 110 and 25 and dirivitives of port 25 for my email servers.

My question would still be suppose I just want to not have to use a password on that one computer what does it take to make it safe without a password?  This should not be impossible - I have seen  CEOs with no password in their office so
some one must have a way to make it work - Ofcourse I would never do this in a publically available kiosk or office but a locked or private machine???
At the end of the day I am looking for a way to provide no password possibly because the user just does not want the hastle.
How many of you password protect your internet phone's - few people have the patience to login when a call comes through to my experience.

I get it normally passwords are vital essential even but this desktop will not be vulnerable that way if I can switch off all the remote login capabilities I think my machine should be reasonably safe and if it does get a virus or malware that password would have no bearing on damages by any virus as use of the device is guarenteed anyway.

Can anyone at least explain why Microsoft defaults to no password in the logins on home edition XP???

Frankly for the lazy user involved's sanity I would like better responses here. Stop the I must have a password speach please - This should very easily be doable and secure enough so long as no one can connect through a NAT class C connection and login remotely in any form via bios or therwise.
I should mention Administrator does have a password but why wouldn't I want the ability to not have to log in if my desktop is secured by  a key.

I know biometric devices are a more costly way to provide a no password solution (actually there could be a password but the user need never use it) Just scan their finger

Can anyone show me an easy way to just shut off remote access of all kinds BIOS, TCP/IP etc..
JohnBusiness Consultant (Owner)Commented:
Microsoft does so little to protect us from malware and viruses  <-- That is actually not true. With Windows 8.1, EMET (Microsoft) and top notch commercial, paid anti virus, there is not much way to hack it.

Can anyone at least explain why Microsoft defaults to no password in the logins on home edition XP???

That was just a dumb idea on their part which has long been corrected.

Without a password, it is easy to install Cain's Agent and get into the system. Cain is from and is a legitimate tool but can be used to get into insecure systems.

Stop the I must have a password speech please

XP is dead. It is insecure, and it is very easily hacked. Passwords (especially passwords with special characters) are a way to protect. This is true even if you don't wish to listen.
Robert SilverSr. Software EngineerAuthor Commented:
John Hurst - Your were completely definitive about the simple hack and I am not arguing although how will I add security holes if I plan not to install any new software on this old XP box. I do not have Microsoft office insalled or anything else that should effect me. I use "The Bat" by
Can you explain why no password is the default for Microsoft?  How often is the Windows User transmitted out or accessable I mean if my user name was  R18378947KUBLIKAHN  how would a hacker get that user name let alone start trying to access my computer and how would it happen through a NAT Home LAN connection in any event?
Can you give me any scenarios? That would really help my understanding here.
If I used WireShark would that help me better understand how the hack is so simple?
Even connecting to uinit should be impossible. I have Norton Internet Security running so a formitable firewall is in place
JohnBusiness Consultant (Owner)Commented:
How many of you password protect your internet phone's

Do you understand this at all?  You can password protect a smart phone and still receive a call. As soon as the call is over, you have to log in to use the phone. But you can receive a call. I lock and password my phone and it does not impede its use.

Think ahead. System have been ever more secured and passwords are now necessary on the strongest systems.
JohnBusiness Consultant (Owner)Commented:
Can you explain why no password is the default for Microsoft?  <-- I did. It was a lapse of judgment on their part that they have corrected.

The case you are making is from a decade ago. What you are trying to do won't work on a modern system.

Please do not misinterpret me. You can do as you wish and it does not matter to me.

I am only pointing out what can happen to an insecure system.
Larry Struckmeyer MVPCommented:

What exactly are you arguing for or against?  Either you think passwords are a good idea or you don't.  In either case you don't seem open to any logic that says yea or nay.

So, make up your own mind and go with that policy.  Install a secure user and password, including the screen saver on that now outdated system or not.  But be aware that the consequences of your decision are yours alone and no one else's.
Robert SilverSr. Software EngineerAuthor Commented:
That was the point of the question - It just seems to me that the whole need to reboot should have been thrown out as well.
But on another note how would a hacker get my Windows User name unless microsoft sends it out idiotically I do not see how that information would ever be transmitted Hostname maybe but my windows user names should never be transmitted.
I recently had a VOIP  Spoofer pretend to be from Microsoft and asked them my host name since they were calling to tell me they noticed my system was infected  The loosers could not even tell me the HOSTNAME let alone my user name or windows login so I knew they were would be hackers

I would hope that Microsoft never transmits user Window Login names. I know NetBIOS probably transmits HOSTNAMEs because in windows Explorer you can see the all the hostnames you are connected with  on your LAN anyway but
I sure do hope Microsoft never sends Window LOGIN information anywhere unless a remote connection by that Windows LOGIN USER is ever attempted knowingly
The thread is growing nothing but chaotic. Please keep it to some simple questions, all of those will have definite answers like these:

"Is there a way I can keep a user with no password..." - yes!
"...and  yet keep the system secure?" - it depends how you define what should be secured. Without a password, an account cannot be used for runas (runas is an attack vector), neither it is possibleto use this account for network logon (that is: share access, remote process execution and so on).
"Is it absolutely necessary that every Windows User must have a windows password?" - of course not. It depends on what possible attacks you see.
"The default is no password" - incorrect. You may set no password, that's how it is. But you are asked to set one.
"perhaps there is a way to simply strip any remote access by a specific user and handle the issue that way?" - see above what I wrote about network access.

But frankly: if you are not familiar with network security, then you should not use xp and at the same time expect to be able to secure it...even with the help of ee, this is not possible.

You could get all shields up: use the firewall and no remote access is possible. As for other vulnerabilities that come in through malware and unsafe browsing habits AND of course the OS vulnerabilities that are no longer patched, it all depends on you if those get exploited.
Fred MarshallPrincipalCommented:
I'm having a bit of trouble following the issue here.
I asked about the particular environment but so far have seen only tangential anecdotal comments.
As McKnife also mentions, it depends on your situation or assumptions.
Different situations present different vulnerabilities.

I didn't understand the comment about screen savers.  Clearly it's related but, as I said earlier, you can have a password and not have to use it.  Screen saver has that option.

Also, I'm surprised that nobody mentioned using "control userpasswords2".
This allows the computer to automatically log in using a "hidden" username and password without anyone entering the password.
However this only affect the initial startup login.
Other things will still require the password.

Having said these things, I think we're back to the fundamental question:

- what environment situation are you interested in receiving an answer to your question?
I suggested that telnet is not enabled as one assumption.
I suggested that being on a private LAN as another suggestion.
... what else?  and what different?
- are you interested in internal or external threats?
Given this information then folks can tell you what vulnerabilities may lurk.

Have you considered setting it up the way you want and then running something like Microsoft Baseline Security?
In addition to everything already said, no one knows all of the possible ways to attack a WinXP system remotely, including via port 110 or 25. New ways will likely be discovered for the next five or more years, and we can't know what will come.

The builtin firewall is probably as good as you're going to get if those are the only ports you really want to keep open. With all others blocked, and if the system is patched to its fullest degree, it probably doesn't matter what else you do.

Just don't expect certainty. No one can provide it. (Nor is anyone likely to post "how" it might be done in an open, ethical forum.)

Steve BottomsSr Network AdminCommented:
If you're looking for an answer and not an argument, here's the most basic answer: if you don't want to use a password *AND* you choose to use an old, unsupported OS with no security updates, then a) unplug the computer from any and all communications systems (serial, USB, network, etc) and b) create a new account with no password.  Problem solved.

Arguing about the validity of hardening systems is futile and just plain silly.

Thanks, and good luck.
Fred MarshallPrincipalCommented:
The last author comment was last September.....
Why hasn't this been closed long ago?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.