Creating and Enforcing Bulletproof Passwords
Windows XP sometimes gives the impression that passwords aren't all that important. After all, each user account you specify during Setup is supplied with both administrative-level privileges and a blank password. That's a dangerous setup, but it's one that's easily remedied by supplying all local users a password. This section gives you some pointers for creating strong passwords and runs through Windows XP's password-related options and policies.
Creating a Strong Password
Ideally, when you're creating a password for a user, you want to pick one that provides maximum protection without sacrificing convenience. Keeping in mind that the whole point of a password is to select one that nobody can guess, here are some guidelines you can follow when choosing a password.
- Don't be too obvious. Because forgetting a password is inconvenient, many people use meaningful words or numbers so that their password will be easier to remember. This means that they often use extremely obvious things such as their name, the name of a family member or colleague, their birth date or Social Security number, or even their system user name. Being this obvious is just asking for trouble.
- Don't use single words. Many crackers break into accounts by using "dictionary programs" that just try every word in the dictionary. So, yes, xiphoid is an obscure word that no person would ever guess, but a good dictionary program will figure it out in seconds flat. Using two or more words in your password (or pass phrase, as multiword passwords are called) is still easy to remember, and would take much longer to crack by a brute force program.
- Use a misspelled word. Misspelling a word is an easy way to fool a dictionary program. (Make sure, of course, that the resulting arrangement of letters doesn't spell some other word.)
- Use passwords that are at least eight characters long. Shorter passwords are susceptible to programs that just try every letter combination. You can combine the 26 letters of the alphabet into about 12 million different five-letter word combinations, which is no big deal for a fast program. If you bump things up to eight-letter passwords, however, the total number of combos rises to 200 billion, which would take even the fastest computer quite a while. If you use 12-letter passwords, as many experts recommend, the number of combinations goes beyond mind-boggling: 90 quadrillion, or 90,000 trillion!
- Mix uppercase and lowercase letters. Windows XP passwords are case-sensitive, which means that if your password is, say, YUMMY ZIMA, trying yummy zima won't work. Now the 26 letters of the alphabet become 52 unique characters. So you can really throw snoops for a loop by mixing the case. Something like yuMmY zIMa would be almost impossible to figure out.
- Add numbers to your password. You can throw more permutations and combinations into the mix by adding a few numbers to your password.
- For extra variety, toss in one or more punctuation marks or special symbols, such as % or #.
- Try using acronyms. One of the best ways to get a password that appears random but is easy to remember is to create an acronym out of a favorite quotation, saying, or book title. For example, if you've just read The Seven Habits of Highly Effective People, you could use the password T7HoHEP.
- Don't write down your password. After going to all this trouble to create an indestructible password, don't blow it by writing it on a sticky note and then attaching it to your keyboard or monitor! Even writing it on a piece of paper and then throwing the paper away is dangerous. Determined crackers have been known to go through a company's trash looking for passwords (this is known in the trade as Dumpster diving). Certainly, don't place your password in the password hint.
- Don't tell your password to anyone. If you've thought of a particularly clever password, don't suddenly become unclever and tell someone. Your password should be stored in your head alongside all those "wasted youth" things you don't want anyone to know about.
- Change your password regularly. If you change your password often (say, once a month or so), even if some skulker does get access to your account, at least he or she will have it for only a relatively short period.
In this tutorial:
- Managing Logons and Users
- Useful Windows XP Logon Strategies
- Setting Up an Automatic Logon
- Setting Logon Policies
- More Logon Registry Tweaks
- Getting the Most Out of User Accounts
- Control Panel's User Accounts Icon
- The Local Users And Groups Snap-In
- Setting Account Policies
- Working with Users and Groups from the Command Line
- Creating and Enforcing Bulletproof Passwords
- User Account Password Options
- Recovering a Forgotten Password
- Sharing Your Computer Securely