Security Is Up to You: Perfect Your Passwords
Send Windows-related questions and tips to scott_dunn@pcworld.com. We pay $50 for published items. Scott Dunn is a contributing editor for PC World.
Scott Dunn
Dunn's third law of PC security states: The older the password, the less secure the system. (The first two laws are "Never assume your data is safe" and "If it's from Microsoft, it has holes.") The simplest and cheapest way to safeguard your information is to put a little thought into your passwords, keep them fresh, and use them always.
For the basics on Windows passwords, read my column from September 2002, and see Scott Spanbauer's take on effective passwords from his October 2003 Internet Tips. The following tips enforce best password practices, though some of them don't apply to PCs on networks whose administrators use their own password policies.
Enforce Strong Passwords
For better or for worse--usually worse--Windows 2000 and XP let you create passwords using pretty much any set of characters. Worse still, both allow you to do without passwords altogether. Fortunately, you can make Windows XP require that all user accounts implement more-secure password habits via the Local Security Settings policy tool. Click Start, Control Panel, (Performance and Maintenance in Category view), Administrative Tools, Local Security Settings to open this Control Panel applet (the steps vary slightly from system to system; if you're on a company network, the option may be 'Local Security Policy, Security Settings'). In the left pane of the Local Security Settings window, click the plus sign (+) next to Account Policies and select the Password Policy icon nested beneath (see Figure 1
Figure 1: Local Security policy forces users to craft stronger, safer passwords.
). Now you're ready to make Windows play password cop.
Mandate minimums: To require that all users choose a hack-resistant password, double-click Minimum password length in the right pane (if you don't see it, make sure that Password Policy is selected in the left pane). Specify the number of characters that will be in your password. This can be any number from 1 to 14, but to meet Microsoft's recommendations, the password should be at least 6 characters long. Then click OK.
Compel complexity: Next, double-click Password must meet complexity requirements. Select Enabled and click OK. This mandates that passwords contain characters from at least three of the following categories: uppercase letters, lowercase letters, numbers, and symbols (such as punctuation marks). Also, the password must not contain your user account name. Don't use all or part of your e-mail address in your password, either (though the tool won't keep you from doing so).
You need to make the password hard to guess, but you must also make it easy to remember. One way is to abbreviate a phrase--for example, PCWis#12me ("PC World is number 1 to me").
Expect expirations: To prevent passwords from getting stale, double-click Maximum password age and specify the number of days after which Windows will require users to change their passwords (see Figure 2
Figure 2: This option will require users to change passwords at the interval you set.
). The default figure of 42 should be adequate in most cases. After you've entered the new value, click OK.
Enforce freshness: To keep people from simply toggling between the same two passwords each time they have to switch, double-click Enforce password history and enter the number of passwords that Windows should track. For example, if you enter 8, users won't be able to reuse any of their last eight passwords when they create a new one. Click OK when you're done. You can also set a minimum number of days that the new password must be used, just in case somebody decides to try changing their password several times in one day until the number in 'Enforce password history' is satisfied so they can go back to their original password. To do so, double-click Minimum password age, enter a number of days, and click OK.
Refuse reversible encryption: You may be tempted by the final option in the Password Policy window, 'Store passwords using reversible encryption'. This setting instructs Windows to save a plain-text version of your password. However, reversible encryption works only with applications that require your Windows password. Unless you have such an application, your system will be more secure if you leave reversible encryption disabled, which is the default setting.
Live with lockouts: By default, anyone trying to log on to your account can enter password variations ad infinitum until they succeed. This so-called brute-force approach to password cracking is of particular concern if your system is set for remote access. One way to stymie such attacks is to limit the number of attempts before the system refuses to accept any more passwords (correct or not). To do that, click the Account Lockout Policy icon in the left pane (just below Password Policy). In the right pane, double-click Account Lockout Threshold. Type the number of wrong password-entry attempts that the system will permit before it locks up--something in the vicinity of 3 to 5 seems fair enough, depending on how sloppy a typist you are. When you change this setting, Windows automatically resets the other two Account Lockout Policy settings to 30 minutes each: 'Account lockout duration' controls how long everyone is locked out from making password attempts, and 'Reset account lockout counter after' determines how long the system waits before it starts counting new attempts from zero. To change either of these, double-click it, enter the desired number of minutes, and click OK.
Make an exception to expirations: If you maintain a seldom-used administrator account that you need only for emergencies, you may not want its password to expire. To make an exception to the policies detailed in the previous tips, choose Start, Run, type lusrmgr.msc, and press <Enter>. In either pane, double-click the Users icon. Then double-click the account whose password doesn't need an expiration date. In the Properties dialog box for that account, check Password never expires and end by clicking OK (see FIGURE 3
Figure 3: Make a password unexpirable in Windows' Local Users and Groups tool.
).
Render a reminder: You can warn users of a password's impending expiration via an edit of the Windows Registry. Any change to the Registry risks problems, so be sure to back it up first; Stan Miastkowski shows how in "Care and Feeding of the Windows Registry." With your backup in place, choose Start, Run, type regedit, and press <Enter> to open the Registry Editor. In the left pane, navigate to and select HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. In the right pane, double-click passwordexpirywarning (if it isn't there, right-click in the pane, pick New, DWORD Value, and type the name in the text box). Click the Decimal option. For 'Value data', type the number of days before expiration that you want the system to remind users to change their password (see FIGURE 4
Figure 4: Give users a friendly reset reminder by editing the Windows Registry.
).
XP's Password Manager
When you access a server on your network or visit a secure site, you'll likely be prompted for a name and password. If you access many servers, you may have to remember several name-and-password combinations. Windows XP offers to remember your ID and password the first time you log on (check the Remember my password box), but what if you want to change or delete your IDs and passwords? Open the User Accounts applet in Control Panel: Choose Start, Run, type control userpasswords, and press <Enter>. If you are connected to a network domain, select the desired user on the Users tab, and click Advanced, Manage Passwords. If your PC is not part of a network domain, select the desired account at the bottom of the User Accounts window. In the Related Tasks box on the left, click Manage my network passwords to open the Stored User Names and Passwords window.
Now select a Web site or network location and click Remove to delete the saved name and password; or click Properties to edit the server path or Web location, user name, or password. To add a new entry, click Add to open the Login Information Properties dialog box (naturally). However, you need to know the proper format for the information you enter. In the Server box, enter the URL or server path: For network shares, you can use the standard Universal Naming Condition (UNC) paths, such as \\server\share. The asterisk wild-card character--for example, in *.pcworld.com--is also permitted if you have multiple IDs for a single Web site. Next, fill in the 'User name' box in either of two formats: server\user for network servers (for example, STORAGE\John), or user@domain.com for Web sites (for example, John@pcworld.com). Finally, fill in the Password box and click OK.
A Management Shortcut
If you must return to Windows XP's password manager repeatedly, you don't have to navigate through the Control Panel to open it each time. Instead, you can create a menu or desktop shortcut that launches it directly. Right-click in an empty area of the desktop, or in the menu you want to add the shortcut to, and click New, Shortcut. In the location box of the Create Shortcut wizard, type rundll32.exe keymgr.dll, KRShowKeyMgr and click Next. Type a name for the shortcut, and click Finish. To make its desktop icon more meaningful, right-click it and choose Properties. In the Shortcut tab, click Change Icon. Type the path to a file with the icon you want, or click Browse to find one in a folder such as shell32.dll or moricons.dll (see Figure 5
Figure 5: Pick an icon for your password manager shortcut so you can spot it quickly.
). Select an icon from the list and click OK twice.
Put Passwords in Their Place With Access Manager
If you find Windows' own password manager too limited or too confusing, consider upgrading to the Access Manager utility from Citi-Software. The program not only stores Web site and server passwords securely but also tracks your credit card and bank account information, e-mail passwords, home alarm codes, and more. You can organize passwords by a set of predefined types (Web site, PIN, or document access, for example) or devise your own type. When it's time to create a new password, Access Manager can generate one for you that will meet standard complexity requirements. On-screen buttons let you copy your name or password for pasting into Web sites and other forms (a tactic that thwarts keylogging programs). Even easier, you can drag your account name into a form to copy your password to the Windows Clipboard, so you have to move between windows only once (you drag to one box and then paste into the other). My sole complaint regarding the program is that it requires Microsoft's free.Net Framework version 1.1. Access Manager is free for noncommercial use, but for more features (such as the ability to encrypt individual files on your computer), you must purchase the $25 professional version.