Windows 7 sometimes gives the impression that
passwords aren’t all that important. For example, it’s possible to
remove the password from the user account you created during setup.
Because that account is supplied with administrative-level privileges,
this is a dangerous setup, because it means that anyone can start your
computer and automatically get administrative rights, and that standard
users can elevate permissions without needing a password. However, these
problems are easily remedied by supplying a password to all
local users. This section gives you some pointers for creating strong
passwords and runs through Windows 7’s password-related options and
policies.
Creating a Strong Password
It’s
not enough to just use any old password. You can improve the security
of Windows—and, hence, of your entire network—by making each password
robust enough that it is impossible to guess and is impervious to
software programs designed to try different password combinations. Such a
password is called a strong password. Ideally, you want to build a password that provides maximum protection while still being easy to remember.
Lots of books
will suggest absurdly fancy password schemes (I’ve written some of those
books myself), but you really need to know only three things to create
strong-like-bull passwords:
Use passwords that are at least 8 characters long—
Shorter passwords are susceptible to programs that just try every
letter combination. You can combine the 26 letters of the alphabet into
about 12 million 5-letter word combinations, which is no big deal for a
fast program. If you bump things up to 8-letter passwords, however, the
total number of combinations rises to 200 billion,
which would take even the fastest computer quite a while. If you use
12-letter passwords, as many experts recommend, the number of
combinations goes beyond mind-boggling: 90 quadrillion, or 90,000 trillion!
Mix up your character types—
The secret to a strong password is to include characters from the
following categories: lowercase letters, uppercase letters, numbers, and
symbols. If you include at least one character from three (or, even
better, all four) of these categories, you’re well on your way to a
strong password.
Don’t be too obvious—
Because forgetting a password is inconvenient, many people use
meaningful words or numbers so that their password will be easier to
remember. Unfortunately, this means that they often use extremely
obvious things such as their name, the name of a family member or
colleague, their birth date, their social security number, or even their
system username. Being this obvious is just asking for trouble.
Tip
How will you know whether the password you’ve come up with fits the definition of strong?
One way to find out is to submit the password to an online password
complexity checker. (If you’re the least bit paranoid about these
things, consider submitting a password that’s only similar to the one
you want to use to.) I recommend Microsoft’s (http://tinyurl.com/cpjh4 or www.microsoft.com/protect/yourself/password/checker.mspx), but a Google search on “password complexity checker” will reveal many others.
User Account Password Options
Each user account has a
number of options related to passwords. To view these options, open the
Local Users and Groups snap-in , and double-click the user with which you want to work. There are three password-related check boxes in the property sheet that appears:
User Must Change Password at Next Logon—
If you activate this check box, the next time the user logs on, she
will see a dialog box with the message that she is required to change
her password. When the user clicks OK, the Change Password dialog box
appears, and the user enters her new password.
User Cannot Change Password— Activate this check box to prevent the user from changing the password.
Password Never Expires—
If you deactivate this check box, the user’s password will expire. The
expiration date is determined by the Maximum Password Age policy,
discussed in the next section.