Problem solve Get help with specific problems with your technologies, process and projects.

Hardening user passwords

Roberta Bragg offers her password hardening best practices in this introductory checklist.

 I'm tired of hearing that passwords are weak and we should never use them. Critics say we should all be using smart cards, tokens or biometrics. Phooey!

Using something other than passwords may offer you additional security -- then again it may not. Improperly configured, or worse, improperly designed authentication products may be no better than passwords, while strong passwords coupled with hardened systems and knowledgeable users can provide a solid defense. Before you spend a fortune replacing passwords with the latest gizmo, use the following checklist to make your password defenses more secure.

You may download a printer-friendly version.

                 Checklist: Hardening user passwords                  
              Educate users first.                  
              I'd be willing to bet that the number one reason passwords fail is because users don't have a clue. It's not their fault. It's up to us, the experts, to teach people about the importance of                  
              strong passwords and show them how to create them. If we rely on security policy and technical controls to enforce our desired result, we're going to fail. We need the combined                  
              strength of everyone, backed up by technology to reach the goal.                  
              Teach users why they need strong passwords.                  
              Have a meeting in which you ask users to create a good password. Feed the results into a password cracker and let the fun begin. Seeing a password cracked in seconds works                  
              much better than a boring lecture. Be sure to add a few good ones for contrast, and if some passwords don't get cracked, perhaps a prize is in order.                  
              Demonstrate how to create bulletproof passwords.                  
              Here are some tried-and-true techniques:                  
                 • Compose every password of a mixture of upper and lowercase letters, numbers and special characters.                  
                 • Numbers and special characters should always be within the password, not at the end.                  
                 • Don't use a name, dictionary word, user id or popular catch phrase. (Using GoChiefs! As a password in Kansas City is not a good idea. Using company sayings isn't either.)                  
                 • Do use a passphrase if you want. They are easier to remember, but use one that has meaning, not one someone you know might guess.                  
                 • Use at least eight characters. Use more if you can, if your policy requires it or if your job involves sensitive information.                  
                 • If users have standalone Windows XP computers, teach them to create and maintain a password-reset disk. A password reset disk can be used should users have a problem                  
              with their passwords.                  
              Be the Emily Post of proper passwords.                  
              Examples of poor password etiquette:                  
                 • Putting a password on a sticky note and attaching it to the monitor or placing it under the keyboard.                  
                 • Sharing passwords with fellow workers.                  
                 • Giving out a password if someone calls and says they are from IT or security, or any one.                  
              Examples of good password etiquette:                  
                 • Calling security if someone attempts to gain a password or users notice anything funny about their logon.                  
                 • Using unique passwords for each account, including personal accounts with banks and other Web sites.                  
              Do not store miscellaneous passwords on hard drives.                  
              Users with Internet-access rights will want to access personal sites and may have to register to obtain information. Local applications may also require passwords. Users may                  
              have the opportunity to store these passwords on the hard drive. This is not a good practice. These passwords may not be stored as securely as the logon password, and may be                  
              accessible to an attacker. This is especially dangerous if users forget and reuse passwords for multiple sites and applications, and/or use their Windows password. Users                  
              should not be subscribing to Web sites that are not visited for business purposes. When business applications require passwords, Instead of storing passwords on the hard drive                  
              users will have to enter them each time they want to use the application.                  
              Create and honor a strong password policy.                  
              A strong organizational security policy will include a strong password policy. While management must approve the written password policy, the IT department must fulfill this                  
              policy as closely as possible using the technical controls available in Windows. For standalone machines, the password policy is part of the local security policy. In a domain,                  
              the default domain policy is used to establish a password policy for all domain users. If the password policy choices available in Windows cannot entirely fulfill the required written                  
              security policy, then non-technical controls, such as user training and enforcement (define and meet punishment for noncompliance) must be used.                  
              Make administrators and sensitive account users have stronger than normal passwords.                  
              Just because the generic password policy for all users is set at one level and partially enforced by technical controls, you should still have another, stronger password policy for                  
              administrators and others with sensitive accounts. While only one password policy per domain can be technically enforced, you can require some users to have stronger                  
              passwords. You'll have to give them further training, requiring longer passwords and other techniques. You may have to audit them by using a cracking/audit tool, but it will be worth it.                  
              Enforce the organization's password policy.                  
              If your password policy does not exceed the technical controls Windows offers, setting those controls for enforcement will suffice. However, no password policy should be without                  
              requirements, including failure to post passwords on monitors, not sharing passwords and so on. In addition, there are technical controls you may want that cannot be done in the                  
              Windows password policy, such as requiring number placement in the middle of passwords.                  
              Use the following strategies to enforce password policies:                  
                 • First, purchase and use a password auditing tool. These tools can be used to provide information on how long it may take to crack a password -- even weak passwords. While                  
              you may not be able to tell if numbers are placed in the middle of a password, you can tell if a password is easily cracked and not in policy.                  
                 • Second, do periodic site searches looking for passwords that are written down.                  
                 • Third, include a punishment for non-compliance in your security policy. If there is a violation, there should be consequences.                  

Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure.
E-mail the editor to suggest additional checklist topics.


Roberta Bragg is author of "Hardening Windows systems" and a resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker.

Click to ask Roberta a question or purchase her book here. Also, if you have specific questions or comments about any of Roberta's checklists, click to e-mail her directly. Copyright 2004


Dig Deeper on Windows Server storage management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.