Actually the easiest way is to use F8 during boot up, and you can go into safe mode as admin and change your passwords.
So yes, basically if anybody has physical access to your M$ box they can get access.