Creating and Enforcing Bulletproof Passwords

Windows XP sometimes gives the impression that passwords aren’t all that important. After all, each user account you specify during Setup is supplied with both administrative-level privileges and a blank password. That’s a dangerous setup, but it’s one that’s easily remedied by supplying all local users a password. This section gives you some pointers for creating strong passwords and runs through Windows XP’s password-related options and policies.

Creating a Strong Password

Ideally, when you’re creating a password for a user, you want to pick one that provides maximum protection without sacrificing convenience. Keeping in mind that the whole point of a password is to select one that nobody can guess, here are some guidelines you can follow when choosing a password.

• Don’t be too obvious. Because forgetting a password is inconvenient, many people use meaningful words or numbers so that their password will be easier to remember. This means that they often use extremely obvious things such as their name, the name of a family member or colleague, their birth date or Social Security number, or even their system user name. Being this obvious is just asking for trouble.

• Don’t use single words. Many crackers break into accounts by using “dictionary programs” that just try every word in the dictionary. So, yes, xiphoid is an obscure word that no person would ever guess, but a good dictionary program will figure it out in seconds flat. Using two or more words in your password (or pass phrase, as multiword passwords are called) is still easy to remember, and would take much longer to crack by a brute force program.

• Use a misspelled word. Misspelling a word is an easy way to fool a dictionary program. (Make sure, of course, that the resulting arrangement of letters doesn’t spell some other word.)

• Use passwords that are at least eight characters long. Shorter passwords are susceptible to programs that just try every letter combination. You can combine the 26 letters of the alphabet into about 12 million different five-letter word combinations, which is no big deal for a fast program. If you bump things up to eight-letter passwords, however, the total number of combos rises to 200 billion, which would take even the fastest computer quite a while. If you use 12-letter passwords, as many experts recommend, the number of combinations goes beyond mind-boggling: 90 quadrillion, or 90,000 trillion!

• Mix uppercase and lowercase letters. Windows XP passwords are case-sensitive, which means that if your password is, say, YUMMY ZIMA, trying yummy zima won’t work. Now the 26 letters of the alphabet become 52 unique characters. So you can really throw snoops for a loop by mixing the case. Something like yuMmY zIMa would be almost impossible to figure out.

• Add numbers to your password. You can throw more permutations and combinations into the mix by adding a few numbers to your password.

• For extra variety, toss in one or more punctuation marks or special symbols, such as % or #.

• Try using acronyms. One of the best ways to get a password that appears random but is easy to remember is to create an acronym out of a favorite quotation, saying, or book title. For example, if you’ve just read The Seven Habits of Highly Effective People, you could use the password T7HoHEP.

• Don’t write down your password. After going to all this trouble to create an indestructible password, don’t blow it by writing it on a sticky note and then attaching it to your keyboard or monitor! Even writing it on a piece of paper and then throwing the paper away is dangerous. Determined crackers have been known to go through a company’s trash looking for passwords (this is known in the trade as Dumpster diving). Certainly, don’t place your password in the password hint.

• Don’t tell your password to anyone. If you’ve thought of a particularly clever password, don’t suddenly become unclever and tell someone. Your password should be stored in your head alongside all those “wasted youth” things you don’t want anyone to know about.

• Change your password regularly. If you change your password often (say, once a month or so), even if some skulker does get access to your account, at least he or she will have it for only a relatively short period.

User Account Password Options

Each user account has a number of options related to passwords. To view these options, open the Local Users And Groups snap-in (as described earlier in this chapter), right-click the user you want to work with, and then select Properties. There are three password-related check boxes in the property sheet that appears:

• User Must Change Password At Next Logon If you select this check box (the Password Never Expires option must not be active), the next time the user logs on, the user will see a dialog box with the message that the user is required to change his or her password. When the user clicks OK, the Change Password dialog box appears and the user enters his or her new password.

• User Cannot Change Password Select this check box to prevent a user from changing his or her password.

• Password Never Expires If you clear this check box, the user’s password will expire. The expiration date is determined by the Maximum Password Age policy, discussed in the next section.

Taking Advantage of Windows XP’s Password Policies

Windows XP maintains a small set of useful password-related policies that govern settings such as when passwords expire and the minimum length of a password. In the Group Policy editor, select Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy. (In the Local Security Policy snap-in, select Security Settings, Account Policies, Password Policy.) There are six policies:

• Enforce Password History This policy determines the number of old passwords that Windows XP stores for each user. This is to prevent a user from reusing an old password. For example, if you set this value to 10, the user can’t reuse a password until he or she has used at least 10 other passwords. Enter a number between 0 and 24.

• Maximum Password Age This policy sets the number of days after which passwords expire. This only applies to user accounts where the Password Never Expires property has been disabled (see the previous section). Enter a number between 1 and 999.

• Minimum Password Age This policy sets the numbers of days that a password must be in effect before the user can change it. Enter a number between 1 and 998 (but less than the Maximum Password Age value).

• Minimum Password Length This policy sets the minimum number of characters for the password. Enter a number between 0 and 14 (where 0 means no password is required).

• Password Must Meet Complexity Requirements If you enable this policy, Windows XP examines each new password and accepts it only if it meets the following criteria: it doesn’t contain all or part of the user name; it’s at least six characters long; and it contains characters from three of the following four categories: uppercase letters, lowercase letters, digits (0-9), and non-alphanumeric characters (such as $ and #).

• Store Password Using Reversible Encryption For All Users In The Domain Enabling this policy tells Windows XP to store user passwords using reversible encryption. Some applications require this, but they’re rare and you should never need to enable this policy.

Recovering a Forgotten Password

Few things in life are as frustrating as a forgotten password. To avoid this headache, Windows XP offers a couple of precautions that you can take now just in case you forget your password sometime in the future.

The first precaution is called a password hint, which is a word, phrase, or other mnemonic device that can help you remember your password. To see the hint, click the question mark (?) button that appears beside the password box in the Welcome screen (hints are not available in Classic logon mode). To set up a password hint, follow these steps:

1. Launch Control Panel’s User Accounts icon.

2. If you have administrative-level privileges, select the user you want to work with.

3. From here, you have two choices:

   • If the user doesn’t have a password, click Create A Password, enter the password (twice) and enter the password hint in the Type A Word Or Phrase To Use As A Password Hint text box.

   • If the user already has a password, click Change My Password, enter the existing password in all three text boxes, and then enter the password hint in the Type A Word Or Phrase To Use As A Password Hint text box. Note that if Enforce Password History has been set to a non-zero value, you wil have to provide a new password in the second and third text boxes.

The second precaution you can take is the Password Reset Disk. This is a floppy disk that enables you to reset the password on your account without knowing the old password. The account’s password is required to prepare the disk, so don’t wait until you’ve forgotten the password to try and create the disk.

To create a Password Reset Disk, follow these steps:

1. Log on as the user for whom you want to create the disk.

2. Launch Control Panel’s User Accounts icon.

3. Click your account name, if necessary.

4. In the Related Tasks list, click Prevent A Forgotten Password. This runs the Forgotten Password Wizard.

5. Run through the wizard’s dialog boxes. (Note that you’ll need a blank, formatted disk.)

The password reset disk contains a single file named Userkey.psw, which is an encrypted backup version of your password. If you need to use this disk down the road, follow these steps:

1. Start Windows XP normally.

2. When you get to the logon screen, leave your password blank and press Enter. Windows XP will then ask if you want to use your password reset disk.

3. If you’re using the Welcome screen, click the Use Your Password Reset Disk link; if you’re using the Classic logon, click Reset. Windows XP launches the Password Reset Wizard. Click Next.

4. Insert the password reset disk and click Next.

5. Enter a new password (twice), enter a password hint, and click Next.

6. Click Finish.