Windows NT Passwords
Windows NT's password scheme and feature set are completely different from that of Windows 9x. The first thing to ensure is that every user has his own account with his own password. In other words, do not allow the use of shared “group” accounts or allow users to share their passwords. Family members should each have their own account rather than sharing the Administrator account if they all use the same computer. If accounts are shared, it's impossible to track who was using the computer and possibly doing something he shouldn't do. In addition, people can cause a lot of damage with the Administrator account if they do not know what they are doing.
The passwords chosen should also be non-dictionary words (that is, one should not be able to find the word in any dictionary). This is because hackers can launch attacks against NT machines, trying every word in the dictionary until the legitimate password is discovered. Adding punctuation marks and numbers to passwords makes them even more difficult to guess. Other password settings can be enabled, such as maximum password age and minimum password length.
Account lockout is another feature that must be set. This feature locks out an account whenever more than the specified number of allowable attempts are made. This prevents an unauthorized user from continually guessing at an account's password. With a recommended setting of 5 or lower, a user is only allowed 5 chances before requiring system administrator intervention.
Table 10.3 shows basic password features that should be enabled.
| Password Feature | Recommendation |
|---|---|
| Shared passwords or group accounts | No |
| Password length | Minimum of seven characters |
| Password composition | Non-dictionary Use punctuation marks and numbers (alphanumeric characters) |
| Password expiration | Every 45 days |
| Account lockout | Five attempts |
Set the password policy to use minimum-length passwords and enforce password changes. These changes are made in the Account Policy settings area of User Manager, as shown in Figure 10.17. In Windows NT, select Start, Programs, Administrative Tools, User Manager and navigate to the Policies option. User Manager is a tool that administrators use to manage users, accounts, and policies for the system. One can set the audit capabilities, account options, and user rights policies in this utility.
Figure 10.17. NT password settings.
Using User Manager, you can pull up the list of all users on the system, as shown in Figure 10.18. Through this feature, you can add, delete, or modify user accounts.
Figure 10.18. User Manager for password settings, users and groups, and policy settings.
Choosing Good PasswordsMany attacks against computer systems involve password guessing. Users with poorly chosen passwords are susceptible to these attacks. Poorly chosen passwords include words that can be found in any standard dictionary. Dictionary-based words are considered to be bad passwords because one method of attack employed by crackers against systems involves using every word in a dictionary against a login prompt. If a user has chosen one of these words, the cracker gains access. To minimize the chances of this occurring, it is advised that users select passwords that do not appear in dictionaries. These passwords should contain characters like spaces, numbers, punctuation, and other alphanumeric characters (1234567890-=~!@#$%^&*()_+,./<>?). A strong password contains several of these characters in various positions of the password. |
One key to having good passwords that is a mainstay in corporate environments is the use of password testing utilities. One common utility that is used is L0phtCrack (www.atstake.com). L0phtcrack, like other password guessers, takes a password, encrypts it, and compares it to the encrypted password on the system. If the two match, the password is guessed. You can download L0phtcrack and test your own system passwords. We will discuss L0phtCrack in more detail in Chapter 13, “Securing Your Home Network.”