Hardening passwords: Expert advice collection

Pose your own questions to Jon, Wes, and Kevin here.

Q: Could you share with me some password hardening best practices? How often should my users change their passwords?

A: Here's a great resource on SearchWindowsSecurity.com that can answer this for you.

Q: I keep hearing weak passwords are a definite security vulnerability. I've tried to institute a more restrictive policy, but management won't go for it. What are your opinions on two factor authentication? Is there a method that is easier to implement than others?

A: Two factor authentication is an expensive but effective way to increase security, particularly if your management won't go for more secure passwords. However, I question whether your management would go for the expense of implementing a system like SecurID, which is also more cumbersome as you need a password and a personal device to do anything on your system, when they are frowning on simply remembering a longer password for a shorter amount of time. Two factor is great, and when coupled with strong passwords it's wonderful, but the most efficient use of time and money would be to lobby harder for strong passwords. Have you tried going the passphrase route, i.e., writing a sentence as a password and typing it in exactly like one would enter it into a word processor?

Hardening passwords Hacking around a lost password Cracking passwords

Q: I've heard there is a Windows NT server security issue involving LM hashes and passwords. Can you tell me more about this and how to fix it?

A: LAN Manager (LM) hashes are an older and weaker method of storing/protecting Windows passwords. There's a further explanation here as well as in my Hacking For Dummies chapter on hacking passwords.

Q: If you have two domains on your network that are located at the same physical site and you want to implement an account policy that requires passwords of at least eight characters and should meet complexity requirements -- do you apply the account policy setting at the site? What account policies should you use?

A: You would need to apply the account policy separately on each domain. Even though the group policy MMC snap-ins will display the "Password Policy" branch for OU's and sites, you can only define the password policy at the domain level. This is because there can only be a single password policy in a given Active Directory, which effectively means that you can only define it at the domain level. Also, just as a note regarding best practices, rather than modifying the default domain policy, you should go ahead and create an additional group policy object with the password policy settings that you want to apply.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Microsoft Windows desktop operating systems security management Top 5 Windows desktop security tips How to use Group Policy to control wireless access Internet Explorer security settings and controls Password cracking and hardening Reduce your Web server's attack surface Plan for a security breach, step by step Managing information risks: Do you have IT governance? Cracking passwords: Eight tips in eight minutes Top Web security tips of 2006 Information security predictions for 2007 Windows desktop security tips The right security tools for finding Windows desktop weaknesses Using BitLocker in Windows 7 20 days to a more secure enterprise Improvements to offline file synchronization in Windows 7 How to get -- and keep -- user support with security Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.