Windows Vista sometimes gives the impression that
passwords aren’t all that important. After all, the user account you
specify during setup is supplied with administrative-level privileges and
a password is optional. That’s a dangerous setup, because it means that
anyone can start your computer and automatically get administrative
rights, and that standard users can elevate permissions without needing
a password. However, these problems are easily remedied by supplying a
password to all
local users. This section gives you some pointers for creating strong
passwords and runs through Windows Vista’s password-related options and
policies.
Creating a Strong Password
Ideally,
when you’re creating a password for a user, you want to pick one that
that provides maximum protection without sacrificing convenience.
Keeping in mind that the whole point of a password is to select one
that nobody can guess, here are some guidelines you can follow when
choosing a password:
Use passwords that are at least eight characters long—
Shorter passwords are susceptible to programs that just try every
letter combination. You can combine the 26 letters of the alphabet into
about 12 million different five-letter word combinations, which is no
big deal for a fast program. If you bump things up to eight-letter
passwords, however, the total number of combinations rises to 200 billion,
which would take even the fastest computer quite a while. If you use
12-letter passwords, as many experts recommend, the number of
combinations goes beyond mind-boggling: 90 quadrillion, or 90,000 trillion! Don’t be too obvious—
Because forgetting a password is inconvenient, many people use
meaningful words or numbers so that their password will be easier to
remember. Unfortunately, this means that they often use extremely
obvious things such as their name, the name of a family member or
colleague, their birth date or Social Security number, or even their
system username. Being this obvious is just asking for trouble. Don’t use single words— Many crackers break into accounts by using “dictionary programs” that just try every word in the dictionary. So, yes, xiphoid
is an obscure word that no person would ever guess, but a good
dictionary program will figure it out in seconds flat. Using two or
more words in your password (or pass phrase, as multiword passwords are called) is still easy to remember, and would take much longer to crack by a brute force program. Use a misspelled word—
Misspelling a word is an easy way to fool a dictionary program. (Make
sure, of course, that the resulting arrangement of letters doesn’t
spell some other word.) Mix uppercase and lowercase letters— Windows Vista passwords are case-sensitive, which means that if your password is, say, YUMMY ZIMA, trying yummy zima won’t work. You can really throw snoops for a loop by mixing the case. Something like yuMmY zIMa would be almost impossible to figure out. Add numbers to your password— You can throw more permutations and combinations into the mix by adding a few numbers to your password. Include a few punctuation marks and symbols— For extra variety, toss in one or more punctuation marks or special symbols, such as % or #. Try using acronyms— One
of the best ways to get a password that appears random but is easy to
remember is to create an acronym out of a favorite quotation, saying,
or book title. For example, if you’ve just read The Seven Habits of Highly Effective People, you could use the password T7HoHEP. Don’t write down your password—
After going to all this trouble to create an indestructible password,
don’t blow it by writing it on a sticky note and then attaching it to
your keyboard or monitor! Even writing it on a piece of paper and then
throwing the paper away is dangerous. Determined crackers have been
known to go through a company’s trash looking for passwords (this is
known in the trade as Dumpster diving). Also, don’t use the password itself as your Windows Vista password hint. Don’t tell your password to anyone—
If you’ve thought of a particularly clever password, don’t suddenly
become unclever and tell someone. Your password should be stored in
your head alongside all those “wasted youth” things you don’t want
anyone to know about. Change your password regularly—
If you change your password often (say, once a month or so), even if
some skulker does get access to your account, at least he’ll have it
for only a relatively short period.
User Account Password Options
Each
user account has a number of options related to passwords. To view
these options, open the Local Users and Groups snap-in (as described
earlier in this chapter), and double-click the user with which you want
to work. There are three password-related check boxes in the property
sheet that appears:
User Must Change Password at Next Logon—
If you activate this check box, the next time the user logs on, she
will see a dialog box with the message that she is required to change
her password. When the user clicks OK, the Change Password dialog box
appears and the user enters her new password. User Cannot Change Password— Activate this check box to prevent the user from changing the password. Password Never Expires—
If you deactivate this check box, the user’s password will expire. The
expiration date is determined by the Maximum Password Age policy,
discussed in the next section.
Taking Advantage of Windows Vista’s Password Policies
Windows
Vista maintains a small set of useful password-related policies that
govern settings such as when passwords expire and the minimum length of
a password. There are two methods you can use to view these policies:
In
the Group Policy editor, select Computer Configuration, Windows
Settings, Security Settings, Account Policies, Password Policy, as
shown in Figure 1.
In the Local Security Policy snap-in, select Security Settings, Account Policies, Password Policy.
There are six policies:
Enforce Password History—
This policy determines the number of old passwords that Windows Vista
stores for each user. This is to prevent a user from reusing an old
password. For example, if you set this value to 10, the user can’t
reuse a password until he or she has used at least 10 other passwords.
Enter a number between 0 and 24. Maximum Password Age—
This policy sets the number of days after which passwords expire. This
applies only to user accounts where the Password Never Expires property
has been disabled (refer to the previous section). Enter a number
between 1 and 999. Minimum Password Age—
This policy sets the numbers of days that a password must be in effect
before the user can change it. Enter a number between 1 and 998 (but
less than the Maximum Password Age value). Minimum Password Length—
This policy sets the minimum number of characters for the password.
Enter a number between 0 and 14 (where 0 means no password is required). Password Must Meet Complexity Requirements—
If you enable this policy, Windows Vista examines each new password and
accepts it only if it meets the following criteria: It doesn’t contain
all or part of the username; it’s at least six characters long; and it
contains characters from three of the following four categories:
uppercase letters, lowercase letters, digits (0–9), and nonalphanumeric
characters (such as $ and #). Store Passwords Using Reversible Encryption— Enabling
this policy tells Windows Vista to store user passwords using
reversible encryption. Some applications require this, but they’re rare
and you should never need to enable this policy because it makes your
passwords much less secure.
Caution
Reversible
encryption means that data is encrypted using a particular code as a
seed value, and you can then decrypt the data by applying that same
code. Unfortunately, this type of encryption has been cracked, and
programs to break reversible encryption are easy to find on the Net.
This means that hackers with access to your system can easily decrypt
your password store and see all your passwords. Therefore, you should
never enable the Store Passwords Using Reversible Encryption policy.
Recovering from a Forgotten Password
Few
things in life are as frustrating as a forgotten password. To avoid
this headache, Windows Vista offers a couple of precautions that you
can take now just in case you forget your password.
The first precaution is called the password hint,
which is a word, phrase, or other mnemonic device that can help you
remember your password. To see the hint in the Welcome screen, type any
password and press Enter. When Vista tells you the password is
incorrect, click OK. Vista redisplays the Password text box with the
hint below it.
The
second precaution you can take is the Password Reset Disk. This is a
floppy disk that enables you to reset the password on your account
without knowing the old password. To create a Password Reset Disk,
follow these steps:
1. | Log on as the user for whom you want to create the disk.
| 2. | Select Start, Control Panel, User Accounts and Family Safety, User Accounts.
| 3. | In the Tasks pane, click Create a Password Reset Disk. This launches the Forgotten Password Wizard.
| 4. | Run through the wizard’s dialog boxes. (Note that you’ll need a blank, formatted floppy disk.)
|
The password reset disk contains a single file named Userkey.psw,
which is an encrypted backup version of your password. Be sure to save
this disk in a secure location and, just to be safe, don’t label the
disk. If you need to use this disk, follow these steps:
1. | Start Windows Vista normally.
| 2. | When
you get to the Welcome screen, leave your password blank and press the
Enter key. Windows Vista will then tell you the password is incorrect.
| 3. | | 4. | Click the Reset Password link.
| 5. | In the initial Password Reset Wizard dialog box, click Next.
| 6. | Insert the password reset disk and click Next.
| 7. | Type a new password (twice), type a password hint, and click Next.
| 8. | Click Finish. |
|