Windows Passwords

Passwords are your first line of defense for both local and remote attacks on your computer. However, the vast majority of home users simply do not use passwords for their Windows user accounts. For some it is too much of an inconvenience, while others just do not see why they need to use one because they trust everyone (family and friends ) who has physical access to their computer. If your computer is never connected to any type of a network, including the Internet, then you are in the clear. But if you are like the majority of computer users and connect to the Internet through some type of medium, even if just for a few minutes at a time via a dial-up connection, you are leaving the door wide open .

The fact that your computer is in a secure location (a home, office, and so on) will protect physical access to your computer. But the moment that you log on to the Internet, or turn your PC on (if you are a broadband user), you could potentially be sharing all of your data files with the world. Basically, anyone who knows your user name can access your computer. And for those who don't, it only takes a little effort from a clever attacker to figure out your user name .

There is a reason why more and more people are getting their identity stolen every year. Many are not taking the steps necessary to protect their sensitive data. A password on all of the user accounts on your computer will not solve all of your security problems, but it's a necessary first step that goes a long way in protecting access to your computer by shutting the door to attackers looking for easy access.

If you do not already have a password assigned to all of the accounts on your computer, it is very easy to set it up. Just open the Control Panel and click on User Accounts. Then click on the name of the account and click the Create Password button. To set a password for a user, right-click on the name of the account and select Set Password. (General management of user accounts is covered in Chapter 5, "Managing Windows.")

Keep in mind that a password is only as good as an attacker's ability to guess or crack it using any number of simple brute-force utilities. Here are my recommendations for a good password:

• The password contains numbers and special characters such as ")(*&^%$#".

• The password contains both upper- and lowercase letters .

• Common words are not used.

• Personal information such as variation of name, address, and phone number is not used.

• Your password is at least 8 characters long.

• You change your password at least twice a year.

Aside from these guidelines, I also recommend you use different passwords for each of your online accounts. Using the same one is like using the same exact key for your car, your home, your office, and your safety deposit box. If someone discovers your password, a lot of your personal information as well as any financial data could be at risk.

How Windows Implements Passwords

The early versions of Windows had a very different method of implementing passwords than the NTbased operating systems NT, 2000, and XP. In Windows 98/Me, passwords were encrypted in a very weak encryption and then stored in a password file on the file system, available to anyone who wanted to play with it. This was extremely insecure , as anyone could just delete the password file and then have full access to your computer.

Starting with Windows NT, passwords were handled much more securely. Today, with Windows 2000 and Windows XP Home and Pro, user passwords are stored in what is called the Security Account Manager, commonly known as the SAM, similar to how Unix password protection works. The SAM is placed in a restricted part of the system registry that can only be accessed by the system account. This prevents a user, either locally or remotely, from loading up the registry editor and retrieving password information. To add another level of security, the passwords are stored in a 128-bit one-way hash with an industry standard encryption method known as MD4 Message Digest. This makes the password very difficult to crack even if access is somehow gained to the SAM database.

You can find more information on user passwords and account management in the "Managing Users" section of Chapter 5, "Managing Windows."

Recovering a Lost Password

Forgetting a password to an account on your computer can be very frustrating. In Windows 2000/XP, a new security mechanism based on Windows NT was used to replace the extremely vulnerable mechanism used in Windows 98/Me. Back in the Windows 98/Me days, you could very easily get into any account on the computer. With the help of a DOS boot disk, all you had to do was delete the Windows password file. Because Windows 2000 and XP are based on the NT kernel, a much more robust and secure system is in place.

This system makes it next to impossible to figure out what a user's password is because all of the password data is encrypted. In theory, it would be possible to use an application that would try to "crack" the encryption on the password data and recover the actual password. However, with the large number of bits that are used in encryption these days, it would take you several years on the fastest hardware available to "crack" the password. Unless you have your own super computer, this is not a valid solution for most of us.

If you know the Administrator user account password on your computer then you can log in with that account and then run lusrmgr.msc from the command prompt to get to the Local User and Group Manager (or activate it from the Control Panel). From there, you can right-click on any account and use its password.

If you do not remember the Administrator password, the only feasible way to get into an account that you forgot the password for is to use a third-party utility to essentially overwrite the specific account's password data. This will not allow you to recover the password, but it will allow you to get into any account on your machine because the account will be assigned a new password.

Using a third-party utility to assign any account a new password is straightforward but there are a lot of steps are involved. They all work in a similar method but can be stored on either a floppy boot disk or a bootable CD-ROM. In general, you would turn on your computer with the utility disk in the drive so that the computer loads the utility's operating system instead of Windows. Then, a utility is run that will do the work of replacing the password.

There are hundreds of password utilities available for use. Some are free and others cost hundreds of dollars. The majority of these utilities work similarly so it really does not seem worthwhile to pay for something that is so widely available for free on the Web. From all of the available utilities, I selected two of the leading utilities that are used to replace Windows account passwords. One utility is booted from a floppy disk, and the other is burned to a CD-ROM and booted from the CD drive.

Using a Floppy Boot Disk to Change Passwords

To replace a user's password with a floppy boot disk, I recommend using the Offline NT Password & Registry Editor located at http://home.eunet.no/~pnordahl/ntpasswd/. While it's not exactly the most user-friendly tool, it is by far one of the most popular and reliable utilities in its class.

1.	To get started, visit the site and download the disk image using the download links located near the bottom of the page. If your computer has SCSI hard drives, make sure that you download the version that has driver support for those drives .
2.	Once you have the correct version downloaded, extract the zip file into any folder. Place an empty and formatted floppy disk into your disk drive and run install.bat from the folder to which you extracted the zip file. When prompted for the Target Disk Drive, enter the drive letter of the drive the floppy is in (this is usually drive "a"). After you confirm the drive, the utility copies the boot image to the floppy.
3.	Now that your password recovery floppy disk has been created, you are ready to get started using it. Take the floppy disk and place it in the floppy drive of the computer containing the password(s) you want replaced. Next, just turn on the computer and it should start to boot from the floppy drive. If it does not, check the computer's BIOS to make sure that the floppy drive is first in the boot order. For more information on creating password reset disks, see "Local Accounts and Password Reset Disks" on p. 180.
4.	Once the disk finishes loading, you're asked to select the disk where Windows is installed. Enter the corresponding number for the list of drives on the screen. The default of 1 should work for the vast majority of Windows installations, especially if your system has just one hard drive and one partition. If you do not see any drives listed, press d and Enter to load more drivers. After you have selected the drive and pressed Enter, you are ready for the next step.
5.	Next, the screen asks where the Registry is stored as shown in Figure 8.1. For Windows XP, this directory is Windows/System32/Config. For Windows 2000 users, this directory is Winnt/System32/Config. The onscreen default is the directory for Windows XP, so you can just press Enter for this step if you are running XP. Figure 8.1. Selecting the location of the system registry with the Offline NT Password & Registry Editor.
6.	The software then asks you what part of the registry you would like to load. Because we want to work with the passwords, press 1 and Enter to continue.
7.	Password data from the registry will now be loaded. Next, press 1 (to edit user password information) and Enter to edit user password information.
8.	All of the users configured for use with that PC are listed. Type in the name of the user for which you want to replace the password and press Enter . If you want to replace the Administrator's password, just press Enter because it is the onscreen default.
9.	Next, enter the new password, or the software recommends that you enter in a * for a blank password as shown in Figure 8.2 (you can always change this later once you log in to Windows). Press Enter to go to the next step. Figure 8.2. Enter a * for a blank password.
10.	You will be asked to confirm your change; press y to continue.
11.	Now you are almost done; you just need to quit and save your password changes back to the registry. Press ! and Enter on this screen to quit back to the main menu. And press q and Enter to quit the password change program.
12.	You will be asked if you want to write your changes to the registry. Press y and press Enter . This may take a few minutes. Once it says "***** Edit Complete *****" you can take the disk out and reboot your computer.

If all went well, when your computer reboots, you should be able to log in to the account you edited with either a blank password or with the password you supplied.

Using a Bootable CD-ROM to Change Passwords

If the floppy boot method does not work for you or if you just don't have a floppy disk drive on your computer, there are other tools you can use to reset a user's password. I personally like to use a suite of utilities called the Emergency Boot CD. The EBCD is a collection of useful utilities that you can use to fix your computer from a wide variety of disasters. It also has the ability to reset passwords, which makes it a great tool for any IT professional or power user.

Follow the procedure below to make your own bootable CD and replace passwords with it:

1.	Visit http://ebcd.pcministry.com and download a copy of either the lite or pro version of the CD. The only difference between the two is that pro contains additional utilities that we do not need for this task. (You may, however, find them useful.)
2.	Once you have downloaded a version of the CD, run the file and extract the files to your hard drive. Because the CD allows you to customize its contents, the CD image is not yet created. Just open up the folder to which you extracted the files and run makeebcd.exe to automatically create the image file.
3.	This creates an ISO image file of the CD on your hard disk. From here, you need to use any one of several popular CD burning software applications to burn the ISO file to a CD-R or CD-RW disk.
4.	Once you have burned the ISO image file, place the newly created Emergency Boot CD into the computer that contains the passwords you want to change. Restart the computer, and if the BIOS is configured to boot from the CD drive, the computer should load the boot program on the CD instead of Windows. If the computer does not boot from the CD, make sure that your BIOS is configured properly and that it supports booting from the CD-ROM drive. Note For more information on the BIOS and the Windows boot process, see Chapter 4, "Windows Startup."
5.	Once the computer boots to the CD, launch the NT Password Utility by pressing 5 as shown in Figure 8.3 and then Enter . Figure 8.3. Select option 5 from the Emergency Boot CD-ROM to launch the NT password editor.
6.	Once the utility loads, press Enter to continue after the initial welcome message. You will be asked to probe for SCSI drives; press n and then Enter if you do not have any SCSI hard drives.
7.	A list of drive partitions will be shown. Enter the full name of the partition where Windows is installed as shown on the screen and press Enter . Most users can just press Enter to select the onscreen default of /dev/hda1.
8.	Next, enter the location to the Windows registry data (refer to step 5 in the previous section). Most users can press Enter again to select the onscreen default of Windows/System32/Config for Windows XP.
9.	The next prompt asks you which hives, another name for a location in the registry, to edit. The default values for this are the same for everyone so you can just press Enter to continue.
10.	Select Option 1 to edit passwords and press Enter .
11.	Type the name of the user whose password you need to change and press Enter (see Figure 8.4). Figure 8.4. Using the Emergency Boot CD to change the password of a Windows user account.
12.	Enter * for the password so that it is blank and press Enter . Alternatively, you can enter in a new password, but the software recommends that you just set it to a blank password.
13.	On the confirmation screen, press Y and then press Enter . Then quit out of user edit mode by pressing ! and then Enter, and quit out of the NT Password application with q and Enter to save your changes.
14.	You will need to press Y twice more to confirm the writes back to the registry. Once that's done, your task is complete.

Now that you have reset the password for the account, it is a good idea to log in and change the password to one that follows the guidelines mentioned earlier to make your data secure.