Additional login security - windows domain user

This sounds like a good time to take advantage of EFS (Encrypting File System). Any files encrypted using EFS will be inaccessible after the account password has been forcefully reset.

http://support.microsoft.com/kb/290260

Set up your browser so that it stores your profile in an encrypted directory, and you're good to go.

If you can't trust the other domain admins then they shouldn't be domain admins, for the same reason that if you couldn't be trusted you shouldn't be one either.

If someone were to change your password this would be logged, the person found and terminated (I'm assuming you have auditing enabled).

Personally I wouldn't worry about it, it's probably not going to happen.

If that worried about it, take the advice of the others here, don't save your passwords. If it's saved it can be read eventually.

If you are saving passwords in Internet Explore the passwords are encrypted against your logon password using Protected Storage. If someone else changes your password they will not gain anything. (http://support.microsoft.com/kb/290260)

If you are using an alternate browser then you will probably need to look at how that browser protects the data. For example in firefox you can set a master password.

Whole-disk encryption is probably the most effective option to protect locally stored data.

If you don't trust your fellow administrators and are worried about them stealing you password I would suggest that you need to make sure there are no keyloggers. It would be much easier for them to simply load up a keylogger. With a hardware keylogger there is pretty much no way you could detect them stealing your passwords.

While I'd generally agree with the comments that if you can't trust your Domain Admins there is something that needs to be fixed in your environment I can see some good arguments for providing an additional layer of access control under some circumstances.

In any case even if you are just being personally paranoid I would recommend that you check to see if your system has a built in Trusted Platform Module and if the vendor provides drivers and a security suite for it. Pretty much all business class PC's now have a reasonably capable TPM that will provide secure credential storage amongst other things. With a decent security suite to go with it, that will give you [A] a defence against rogue admins and [B] the ability to withstand a domain password reset (unlike EFS). Lenovo have a nice write up here on their Client Security Suite that leverages the built in TPM on Thinkpads to provide a hardware secured credential store, and it uses that credential store to protect the keys to a password manager and an encrypted private disk. If you install this without Active Directory integration you can then use their Browser Security mechanisms or simply run a portable browser install from the protected disk and you will have the additional security layer you want.

For the particular example (saved passwords in a browser) I would recommend using the master password provided by Firefox. It encrypts the password cache.

In KDE (and Gnome) there are tools like Wallet, which also provide a secure storage for credentials (e.g. for browser, mail app, chat client, etc) using a separate password. I believe something like this is available for Windows, too.

Another way would be to encrypt your home directory with TrueCrypt using a container file which contains your profile and documents.

Why would someone change your password without telling you? Is this something that has happened in the past?

Another option for saving your password is using this UPEK fingerprint reader to remember them. It's not free but it's pretty cheap. You'll need to authenticate with your finger every time you want it to log you in to your saved websites. I've been using it for a couple months now without issues.

Keep in mind, fingerprint readers are not impossible to hack, but it would stop the casual hacker.