There is more to a strong password than complexity. Managing several passwords in the same network, cost-effectiveness and implementing a working Group Policy are only a few of the issues you need to be concerned about when it comes to proper password security. Check out this collection of resources and expert advice from Windows security experts like Jonathan Hassell, Wes Noonan and Kevin Beaver to learn about password hardening best practices.
Q: Could you share with me some password hardening best practices? How often should my users change their passwords?
A: Here's a great resource on SearchWindowsSecurity.com that can answer this for you.
Q: I keep hearing weak passwords are a definite security vulnerability. I've tried to institute a more restrictive policy, but management won't go for it. What are your opinions on two factor authentication? Is there a method that is easier to implement than others?
A: Two factor authentication is an expensive but effective way to increase security, particularly if your management won't go for more secure passwords. However, I question whether your management would go for the expense of implementing a system like SecurID, which is also more cumbersome as you need a password and a personal device to do anything on your system, when they are frowning on simply remembering a longer password for a shorter amount of time. Two factor is great, and when coupled with strong passwords it's wonderful, but the most efficient use of time and money would be to lobby harder for strong passwords. Have you tried going the passphrase route, i.e., writing a sentence as a password and typing it in exactly like one would enter it into a word processor?
Q: I've heard there is a Windows NT server security issue involving LM hashes and passwords. Can you tell me more about this and how to fix it?
A: LAN Manager (LM) hashes are an older and weaker method of storing/protecting Windows passwords. There's a further explanation here as well as in my Hacking For Dummies chapter on hacking passwords.
Q: If you have two domains on your network that are located at the same physical site and you want to implement an account policy that requires passwords of at least eight characters and should meet complexity requirements -- do you apply the account policy setting at the site? What account policies should you use?
A: You would need to apply the account policy separately on each domain. Even though the group policy MMC snap-ins will display the "Password Policy" branch for OU's and sites, you can only define the password policy at the domain level. This is because there can only be a single password policy in a given Active Directory, which effectively means that you can only define it at the domain level. Also, just as a note regarding best practices, rather than modifying the default domain policy, you should go ahead and create an additional group policy object with the password policy settings that you want to apply.