• PC World
• »Software
• »Operating Systems

Enforce Strong Passwords

For better or for worse--usually worse--Windows 2000 and XP let you create passwords using pretty much any set of characters. Worse still, both allow you to do without passwords altogether. Fortunately, you can make Windows XP require that all user accounts implement more-secure password habits via the Local Security Settings policy tool. Click Start, Control Panel, (Performance and Maintenance in Category view), Administrative Tools, Local Security Settings to open this Control Panel applet (the steps vary slightly from system to system; if you're on a company network, the option may be 'Local Security Policy, Security Settings'). In the left pane of the Local Security Settings window, click the plus sign (+) next to Account Policies and select the Password Policy icon nested beneath (see Figure 1). Now you're ready to make Windows play password cop.

Mandate minimums: To require that all users choose a hack-resistant password, double-click Minimum password length in the right pane (if you don't see it, make sure that Password Policy is selected in the left pane). Specify the number of characters that will be in your password. This can be any number from 1 to 14, but to meet Microsoft's recommendations, the password should be at least 6 characters long. Then click OK.

Compel complexity: Next, double-click Password must meet complexity requirements. Select Enabled and click OK. This mandates that passwords contain characters from at least three of the following categories: uppercase letters, lowercase letters, numbers, and symbols (such as punctuation marks). Also, the password must not contain your user account name. Don't use all or part of your e-mail address in your password, either (though the tool won't keep you from doing so).

You need to make the password hard to guess, but you must also make it easy to remember. One way is to abbreviate a phrase--for example, PCWis#12me ("PC World is number 1 to me").

Expect expirations: To prevent passwords from getting stale, double-click Maximum password age and specify the number of days after which Windows will require users to change their passwords (see Figure 2). The default figure of 42 should be adequate in most cases. After you've entered the new value, click OK.

Enforce freshness: To keep people from simply toggling between the same two passwords each time they have to switch, double-click Enforce password history and enter the number of passwords that Windows should track. For example, if you enter 8, users won't be able to reuse any of their last eight passwords when they create a new one. Click OK when you're done. You can also set a minimum number of days that the new password must be used, just in case somebody decides to try changing their password several times in one day until the number in 'Enforce password history' is satisfied so they can go back to their original password. To do so, double-click Minimum password age, enter a number of days, and click OK.

Refuse reversible encryption: You may be tempted by the final option in the Password Policy window, 'Store passwords using reversible encryption'. This setting instructs Windows to save a plain-text version of your password. However, reversible encryption works only with applications that require your Windows password. Unless you have such an application, your system will be more secure if you leave reversible encryption disabled, which is the default setting.

Live with lockouts: By default, anyone trying to log on to your account can enter password variations ad infinitum until they succeed. This so-called brute-force approach to password cracking is of particular concern if your system is set for remote access. One way to stymie such attacks is to limit the number of attempts before the system refuses to accept any more passwords (correct or not). To do that, click the Account Lockout Policy icon in the left pane (just below Password Policy). In the right pane, double-click Account Lockout Threshold. Type the number of wrong password-entry attempts that the system will permit before it locks up--something in the vicinity of 3 to 5 seems fair enough, depending on how sloppy a typist you are. When you change this setting, Windows automatically resets the other two Account Lockout Policy settings to 30 minutes each: 'Account lockout duration' controls how long everyone is locked out from making password attempts, and 'Reset account lockout counter after' determines how long the system waits before it starts counting new attempts from zero. To change either of these, double-click it, enter the desired number of minutes, and click OK.

Make an exception to expirations: If you maintain a seldom-used administrator account that you need only for emergencies, you may not want its password to expire. To make an exception to the policies detailed in the previous tips, choose Start, Run, type lusrmgr.msc, and press <Enter>. In either pane, double-click the Users icon. Then double-click the account whose password doesn't need an expiration date. In the Properties dialog box for that account, check Password never expires and end by clicking OK (see FIGURE 3).

Render a reminder: You can warn users of a password's impending expiration via an edit of the Windows Registry. Any change to the Registry risks problems, so be sure to back it up first; Stan Miastkowski shows how in "Care and Feeding of the Windows Registry." With your backup in place, choose Start, Run, type regedit, and press <Enter> to open the Registry Editor. In the left pane, navigate to and select HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. In the right pane, double-click passwordexpirywarning (if it isn't there, right-click in the pane, pick New, DWORD Value, and type the name in the text box). Click the Decimal option. For 'Value data', type the number of days before expiration that you want the system to remind users to change their password (see FIGURE 4).