Passwords are probably the most common authentication credential used on computer systems. Passwords have the following weaknesses:
- Most users choose passwords that are easy to remember, but also easy to guess. Someone with a little knowledge about a person might be able to guess a password (from things like birthdays or family or pet names).
- Automated attacks can be employed which try all likely or possible combinations in order to discover (or crack) a password.
The best solution to these weaknesses is to use long and complex passwords. A password policy is a system configuration that prevents users from choosing easy passwords. A strong password policy typically:
- Requires passwords 8 characters or longer (longer passwords are harder to crack).
- Prevents the use of the username or a dictionary word (or common variations) in the password.
- Requires the use of numbers and symbols in addition to letters.
- Forces periodic password changes and prevents the reuse of recent passwords.
In Windows, edit the Local Security Policy to modify password settings for a local computer, or the Default Domain Policy to control passwords for all computers in an Active Directory domain. The following table lists various policy settings that you should know.
|Password Policy||The password policy defines characteristics that valid passwords must have. Settings that you can configure in the password policy include:
|Account Lockout Policy||Use account lockout settings to protect user accounts from being guessed and to also prevent accounts from being used when hacking attempts are detected. Lockout policy settings are: