7 tips in 7 minutes: Windows password creation

As part of the 25 password hardening tips in 25 minutes series, the the following seven quick tips offer best practices for creating strong passwords from SearchWindowsSecurity.com experts and contributors.

As part of the 25 password hardening tips in 25 minutes series, the following seven quick tips offer best practices for creating strong passwords from SearchWindowsSecurity.com experts and contributors.

 


TABLE OF CONTENTS: Windows password creation
   1. Demonstrate how to create bullet-proof passwords
   2. Eliminate common words
   3. Connect multiple words
   4. Implement a password formula
   5. Use passphrases and acronyms
   6. Change passwords that have been lost
   7. Get tools to test passwords
 

Return to 25 password hardening tips in 25 minutes.

 


Tip #1: Demonstrate how to create bullet-proof passwords
[ Return to 25 password hardening tips in 25 minutes ]
 

Here are some tried-and-true techniques for creating bullet-proof passwords:

 

  • Compose every password of a mixture of upper and lowercase letters, numbers and special characters.
  • Numbers and special characters should always be within the password, not at the end.
  • Don't use a name, dictionary word, user id or popular catch phrase. (Using GoChiefs! As a password in Kansas City is not a good idea. Using company sayings isn't either.)
  • Do use a passphrase if you want. They are easier to remember, but use one that has meaning, not one someone you know might guess.
  • Use at least eight characters. Use more if you can, if your policy requires it or if your job involves sensitive information.
  • If users have standalone Windows XP computers, teach them to create and maintain a password-reset disk. A password reset disk can be used should users have a problem with their passwords.
  • - Excerpted from Roberta Bragg's Hardening user passwords

     


    Tip #2: Eliminate common words
    [ Return to 25 password hardening tips in 25 minutes ]
     

    When I create my passwords, I immediately eliminate any word that can be found in a dictionary, even to make up a portion of my password. When forced through password complexity requirements to add numbers or special characters, many users still pick things like october01 or october#1 or something to that effect. It technically meets the requirement, but it defeats the purpose of creating a complex password.

    If you eliminate your name, your kids' names, your pets' names, your birth date, social security number and every word in the dictionary, you aren't left with many options. So, what should a user do to create a password that fits all of these guidelines?

    I take a word and use "hacker speak" to substitute numbers or special characters in place of some letters. That way I can still remember the password, and it won't be cracked by a simple dictionary attack or easy guess. For instance, instead of using "october," change it to "oct0b3r." The zero and the three still look like the "o" and "e" they are replacing. But I would not recommend using this trick for personal information. Things like family names should still be on the short list of password choices.

    - Submitted by Tony Bradley, excerpted from Expert how-tos: Creating strong passwords

     


    Tip #3: Connect multiple words
    [ Return to 25 password hardening tips in 25 minutes ]
     

    When choosing a password, first consider its importance. If it's not protecting something important, I choose something really easy to remember. The same is true if it's a password that gets e-mailed around: If someone intercepts the e-mail, it won't matter how clever you were about choosing it.

    If the password really needs to hold up against attacks, I pick two long words (eight letters or more) and embed a digit or special character between them. The two words should be randomly chosen, and they shouldn't produce a phrase. Then I generally save copies of passwords in an encrypted file or password encryption application, unless there are laws against it.

    - Submitted by Rick Smith, excerpted from Expert how-tos: Creating strong passwords

     


    Tip #4: Implement a password formula
    [ Return to 25 password hardening tips in 25 minutes ]
     

    Each Web page tends to have common elements -- whether they're visual or in the source code. You can save yourself from remembering multiple passwords if you identify a common element on the page, then add a suitable string of numbers, characters or case variations common to all passwords. To do this, you just need to remember the formula for calculating the common element and the common string. It's best to choose an element on the page that is unlikely to change. Here is a very basic example of the new method I'm trying out.

    Each Web page on any site usually has a common element. Start with that element and follow these steps:
     

  • Source code example: ‹head›
  • Scramble it: ‹›daeh
  • Add the initials of the domain name: ‹›daehsws
  • Add the predetermined string common to all passwords you'll use; add it as a prefix, suffix or dump it in the middle: ‹›daehsws-0345
  • This particular example is too easy. I suggest identifying something common on each page for that particular site. Then use a memory trigger for the common element or use an element common on all sites (such as ‹head›), but add an extra step. For example, intersperse that element with a customer ID number or username. It sounds a little bulky I guess, but the idea is that you only need to remember the formula rather than 100 different passwords.

    - Submitted by Michael Bloch, excerpted from Expert how-tos: Creating strong passwords

     


    Tip #5: Use passphrases and acronyms
    [ Return to 25 password hardening tips in 25 minutes ]
     

    A favorite trick for creating strong passwords is to use passphrases (a sentence or group of words), using only the first letter of each word with punctuation marks. If your phrase contains numbers, all the better.

    Here is an example:
    My dog's birthday is 10-23. When is yours?
    This sentence would become the following password:
    Mdbi10-23.Wiy?

    This method creates a seemingly random combination of alpha, numeric and symbol characters, yet it's easy to remember. It's much shorter than typing the entire phrase (thus eliminating the chance of mistyping or the user getting frustrated with its length), and it's less prone to cracking because it doesn't contain any dictionary words.
    - Submitted by Debra Littlejohn Shinder

    The answer is acronyms! Look at the password "2Bon2Btit?" It's complicated and almost random. It follows all the recommended password rules. It has at least one symbol, it has at least one capital and one lowercase, and it is at least eight characters long. The best part is -- it is easy to remember.

    I got it from this common phrase:
    To be or not to be, that is the question
    2Bon2Btit?
    - Submitted by Joshua Erdman

    - Excerpted from Expert how-tos: Creating strong passwords

     


    Tip #6: Change passwords that have been lost
    [ Return to 25 password hardening tips in 25 minutes ]
     

    There are programs that you can purchase that will attempt to replace the current password on the system with one of your choosing, or with a blank password. These programs are operating system dependent, and most often are directed at the local administrator password, not the domain administrator password in Active Directory. Two potential sources include LostPassword.com and iOpus. These are just a starting point for you. To find additional programs, try a web search on the words "password recovery," "password crack" and so forth. Please do check out the companies -- and their software or services before making a purchase.

    - Excerpted from Roberta Bragg's How can you change a former admin's password?

     


    Tip #7: Get tools to test passwords
    [ Return to 25 password hardening tips in 25 minutes ]
     

    Many of the commercial tools such as LANguard Network Security Scanner and QualysGuard can perform this type of testing. For in-depth password testing capabilities, I'd check out L0phtCrack or the new Proactive Windows Security Explorer by Elcomsoft. You can also use NAT (NetBIOS Auditing Tool) and more. This subject is discussed in-depth in the Hacking For Dummies chapter on password hacking, which you can download for free here.

    - Excerpted from Kevin Beaver's Is there a tool I can use to test passwords on my Windows systems from across a network? 

     


    Return to 25 password hardening tips in 25 minutes.

     

Dig deeper on User passwords and network permissions

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close