For best security, we recommend the following:
- A password should be required for all user accounts. At the very least, enforce this rule for members of the Administrators group.
- Passwords must be at least eight characters long. Shorter passwords are more easily cracked. Use at least 15 characters for best security.
- Passwords must be complex. They should contain characters of at least three of these four types: uppercase letters, lowercase letters, numerals, and symbols. This stymies dictionary attacks, causing password crackers to rely on brute-force methods or other techniques.TipYou can use any character in a Windows logon password, including spaces. With one or more spaces in a password, it's easier to come up with a long yet memorable password; you might even incorporate several words separated by spaces and other symbols. Don't use a space as the first or last character of your password, however; some applications trim spaces from these positions.
- Passwords should not contain any form of your name or user name. Because so many users have passwords based on this weak scheme, password-cracking programs are trained to try these variants very early in the process.
Passwords should be changed at least every 90 days. The attacker's best friend is time. When dictionary attacks don't work, a determined thief can use brute-force techniques to try every combination of letters, numbers, and characters in the hope of finding one that works. This task can take months, but it will eventually pay off if you never change your password. - Passwords should not be written down and stored in plain view. Not all attacks come from scurrilous characters connected to your computer only by the Internet. If your password is written on a sticky note and stuck to your monitor, anyone who walks by your computer can copy it.
To be sure that these guidelines are followed (except for the last one, which relies on user education and monitors that repel sticky notes), you can set security policies using the Local Security Settings console.
To start Local Security Settings, type secpol.msc at a Command Prompt or Run box. To see the policies that set password behavior for all accounts, open Security Settings\Account Policies\Password Policy. Double-click a policy to set its value, below Table explains each policy.
| Policy | Description |
|---|---|
Enforce password history | Specifying a number greater than 0 (the maximum is 24) causes Windows to remember that number of previous passwords and forces users to pick a password different from any of the remembered ones. |
Maximum password age | Specifying a number greater than 0 (the maximum is 999) dictates how many days a password remains valid before it expires. (To override this setting for certain user accounts, open the account's properties dialog box in Local Users And Groups and select the Password Never Expires check box.) Selecting 0 means passwords never expire. |
Minimum password age | Specifying a number greater than 0 (the maximum is 999) lets you set the number of days a password must be used before a user is allowed to change it. Selecting 0 means that users can change passwords as often as they like. |
Minimum password length | Specifying a number greater than 0 (the maximum is 14) forces passwords to be longer than a certain number of characters. Specifying 0 permits users to have no password at all. Note: Changes to the minimum password length setting do not apply to current passwords. |
Password must meet complexity requirements | Enabling this policy requires that new passwords be at least six characters long; that the passwords contain a mix of uppercase letters, lowercase letters, numbers, and symbols (at least one character from three of these four classes); and that the passwords not contain the user name or any part of the full name. Note: Enabling password complexity does not affect current passwords. |
Store password using reversible encryption | Enabling this policy effectively stores passwords as clear text instead of encrypting them, which is much more secure. You almost certainly do not want to enable this policy, which is provided only for compatibility with a few older applications. |
Did you find this tutorial helpful? Don’t forget to share your views with us.