Latest Blog Posts

We're members of the

We've ridden there:


Layne's certifications:


Passwords are probably the most common authentication credential used on computer systems. Passwords have the following weaknesses:

  • Most users choose passwords that are easy to remember, but also easy to guess. Someone with a little knowledge about a person might be able to guess a password (from things like birthdays or family or pet names).
  • Automated attacks can be employed which try all likely or possible combinations in order to discover (or crack) a password.

The best solution to these weaknesses is to use long and complex passwords. A password policy is a system configuration that prevents users from choosing easy passwords. A strong password policy typically:

  • Requires passwords 8 characters or longer (longer passwords are harder to crack).
  • Prevents the use of the username or a dictionary word (or common variations) in the password.
  • Requires the use of numbers and symbols in addition to letters.
  • Forces periodic password changes and prevents the reuse of recent passwords.

In Windows, edit the Local Security Policy to modify password settings for a local computer, or the Default Domain Policy to control passwords for all computers in an Active Directory domain. The following table lists various policy settings that you should know.

Setting Group Description
Password Policy The password policy defines characteristics that valid passwords must have. Settings that you can configure in the password policy include:
  • Minimum password length requires passwords to have a minimum length. In general, longer passwords are more secure than shorter ones (although they can be harder to remember).
  • Password complexity prevents using passwords that are easy to guess or easy to crack. It forces passwords to include letters, symbols, a combination of lower case and caps, and numbers.
  • Maximum password age forces users to change the password after the specified time interval.
  • Minimum password age prevents users from changing the password too quickly.
  • Enforce password history requires users to input a unique (previously unused) password when changing the password. This prevents users from reusing previous passwords.
Account Lockout Policy Use account lockout settings to protect user accounts from being guessed and to also prevent accounts from being used when hacking attempts are detected. Lockout policy settings are:
  • Account lockout threshold specifies the maximum number of incorrect logon attempts. Once the number has been reached, the account will be locked and logon disabled. A common setting is to lock the user account when three consecutive incorrect passwords have been entered.
  • Account lockout duration determines the length of time the account will be disabled (in minutes). When the time period expires, the account will be unlocked automatically. Setting this to 0 means that the account remains locked until manually unlocked by an administrator.
  • Reset account lockout counter after determines the amount of time (in minutes) that passes before the number of invalid attempt counter is reset. For example, if a user enters two incorrect passwords, the incorrect counter will be cleared to 0 after the timer has expired.