Home > Articles > Home & Office Computing > Microsoft Windows Vista & Home Server

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Creating and Enforcing Bulletproof Passwords

Windows Vista sometimes gives the impression that passwords aren't all that important. After all, the user account you specify during setup is supplied with administrative-level privileges and a password is optional. That's a dangerous setup, because it means that anyone can start your computer and automatically get administrative rights, and that standard users can elevate permissions without needing a password. However, these problems are easily remedied by supplying a password to all local users. This section gives you some pointers for creating strong passwords and runs through Windows Vista's password-related options and policies.

Creating a Strong Password

Ideally, when you're creating a password for a user, you want to pick one that that provides maximum protection without sacrificing convenience. Keeping in mind that the whole point of a password is to select one that nobody can guess, here are some guidelines you can follow when choosing a password:

  • Use passwords that are at least eight characters long—Shorter passwords are susceptible to programs that just try every letter combination. You can combine the 26 letters of the alphabet into about 12 million different five-letter word combinations, which is no big deal for a fast program. If you bump things up to eight-letter passwords, however, the total number of combinations rises to 200 billion, which would take even the fastest computer quite a while. If you use 12-letter passwords, as many experts recommend, the number of combinations goes beyond mind-boggling: 90 quadrillion, or 90,000 trillion!
  • Don't be too obvious—Because forgetting a password is inconvenient, many people use meaningful words or numbers so that their password will be easier to remember. Unfortunately, this means that they often use extremely obvious things such as their name, the name of a family member or colleague, their birth date or Social Security number, or even their system username. Being this obvious is just asking for trouble.
  • Don't use single words—Many crackers break into accounts by using "dictionary programs" that just try every word in the dictionary. So, yes, xiphoid is an obscure word that no person would ever guess, but a good dictionary program will figure it out in seconds flat. Using two or more words in your password (or pass phrase, as multiword passwords are called) is still easy to remember, and would take much longer to crack by a brute force program.
  • Use a misspelled word—Misspelling a word is an easy way to fool a dictionary program. (Make sure, of course, that the resulting arrangement of letters doesn't spell some other word.)
  • Mix uppercase and lowercase letters—Windows Vista passwords are case-sensitive, which means that if your password is, say, YUMMY ZIMA, trying yummy zima won't work. You can really throw snoops for a loop by mixing the case. Something like yuMmY zIMa would be almost impossible to figure out.
  • Add numbers to your password—You can throw more permutations and combinations into the mix by adding a few numbers to your password.
  • Include a few punctuation marks and symbols—For extra variety, toss in one or more punctuation marks or special symbols, such as % or #.
  • Try using acronyms—One of the best ways to get a password that appears random but is easy to remember is to create an acronym out of a favorite quotation, saying, or book title. For example, if you've just read The Seven Habits of Highly Effective People, you could use the password T7HoHEP.
  • Don't write down your password—After going to all this trouble to create an indestructible password, don't blow it by writing it on a sticky note and then attaching it to your keyboard or monitor! Even writing it on a piece of paper and then throwing the paper away is dangerous. Determined crackers have been known to go through a company's trash looking for passwords (this is known in the trade as Dumpster diving). Also, don't use the password itself as your Windows Vista password hint.
  • Don't tell your password to anyone—If you've thought of a particularly clever password, don't suddenly become unclever and tell someone. Your password should be stored in your head alongside all those "wasted youth" things you don't want anyone to know about.
  • Change your password regularly—If you change your password often (say, once a month or so), even if some skulker does get access to your account, at least he'll have it for only a relatively short period.

User Account Password Options

Each user account has a number of options related to passwords. To view these options, open the Local Users and Groups snap-in (as described earlier in this chapter), and double-click the user with which you want to work. There are three password-related check boxes in the property sheet that appears:

  • User Must Change Password at Next Logon—If you activate this check box, the next time the user logs on, she will see a dialog box with the message that she is required to change her password. When the user clicks OK, the Change Password dialog box appears and the user enters her new password.
  • User Cannot Change Password—Activate this check box to prevent the user from changing the password.
  • Password Never Expires—If you deactivate this check box, the user's password will expire. The expiration date is determined by the Maximum Password Age policy, discussed in the next section.

Taking Advantage of Windows Vista's Password Policies

Windows Vista maintains a small set of useful password-related policies that govern settings such as when passwords expire and the minimum length of a password. There are two methods you can use to view these policies:

  • In the Group Policy editor, select Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy, as shown in Figure 6.10.
    Figure 6.10

    Figure 6.10 In the Password Policy branch, use the policies to enforce strong passwords and other protections.

  • In the Local Security Policy snap-in, select Security Settings, Account Policies, Password Policy.

There are six policies:

  • Enforce Password History—This policy determines the number of old passwords that Windows Vista stores for each user. This is to prevent a user from reusing an old password. For example, if you set this value to 10, the user can't reuse a password until he or she has used at least 10 other passwords. Enter a number between 0 and 24.
  • Maximum Password Age—This policy sets the number of days after which passwords expire. This applies only to user accounts where the Password Never Expires property has been disabled (refer to the previous section). Enter a number between 1 and 999.
  • Minimum Password Age—This policy sets the numbers of days that a password must be in effect before the user can change it. Enter a number between 1 and 998 (but less than the Maximum Password Age value).
  • Minimum Password Length—This policy sets the minimum number of characters for the password. Enter a number between 0 and 14 (where 0 means no password is required).
  • Password Must Meet Complexity Requirements—If you enable this policy, Windows Vista examines each new password and accepts it only if it meets the following criteria: It doesn't contain all or part of the username; it's at least six characters long; and it contains characters from three of the following four categories: uppercase letters, lowercase letters, digits (0–9), and nonalphanumeric characters (such as $ and #).
  • Store Passwords Using Reversible Encryption—Enabling this policy tells Windows Vista to store user passwords using reversible encryption. Some applications require this, but they're rare and you should never need to enable this policy because it makes your passwords much less secure.

Recovering from a Forgotten Password

Few things in life are as frustrating as a forgotten password. To avoid this headache, Windows Vista offers a couple of precautions that you can take now just in case you forget your password.

The first precaution is called the password hint, discussed earlier (refer to "Creating and Managing User Accounts"), which is a word, phrase, or other mnemonic device that can help you remember your password. To see the hint in the Welcome screen, type any password and press Enter. When Vista tells you the password is incorrect, click OK. Vista redisplays the Password text box with the hint below it.

The second precaution you can take is the Password Reset Disk. This is a floppy disk that enables you to reset the password on your account without knowing the old password. To create a Password Reset Disk, follow these steps:

  1. Log on as the user for whom you want to create the disk.
  2. Select Start, Control Panel, User Accounts and Family Safety, User Accounts.
  3. In the Tasks pane, click Create a Password Reset Disk. This launches the Forgotten Password Wizard.
  4. Run through the wizard's dialog boxes. (Note that you'll need a blank, formatted floppy disk.)

The password reset disk contains a single file named Userkey.psw, which is an encrypted backup version of your password. Be sure to save this disk in a secure location and, just to be safe, don't label the disk. If you need to use this disk, follow these steps:

  1. Start Windows Vista normally.
  2. When you get to the Welcome screen, leave your password blank and press the Enter key. Windows Vista will then tell you the password is incorrect.
  3. Click OK.
  4. Click the Reset Password link.
  5. In the initial Password Reset Wizard dialog box, click Next.
  6. Insert the password reset disk and click Next.
  7. Type a new password (twice), type a password hint, and click Next.
  8. Click Finish.
  • + Share This
  • 🔖 Save To Your Account