5-Minute Security Advisor - Choosing a Good Password Policy

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Updated : June 7, 2002

Passwords are a largely misunderstood security measure—there's more to them than we usually consider. (Don't take my word for it: see The Ten Immutable Laws of Security, law #5!) The combined passwords of the accounts on your network can be considered a security perimeter. If any one of those passwords is compromised, than unauthorized or malicious users can gain access to your network's resources. Without a valid username and password, attackers have to rely on other attack methods, many of which are easily traceable and identifiable. Password compromise is an insidious problem, though, because when a password is compromised you may not find out about it until it's too late. One way to fix this problem is to do away with passwords altogether (subliminal message: USE SMART CARDS). Since that's not always practical, Windows 2000 makes it easy for you to build domain-based policies that protect your passwords against common attacks while simultaneously ensuring that users aren't creating weak, easily-guessed passwords. (Of course, strong passwords along don't rule out the need for other security measures, including protecting against the most common compromise methods, maintaining good physical security, and using appropriate tools.)

Common password attacks

It helps to understand the most common types of assaults on reusable passwords, because understanding their vulnerabilities helps you assess strategies to strengthen weak areas in your own network.

  • Brute-force attacks. One of the most common password attacks is the simple brute force dictionary attack. Passwords are stored in the Windows NT SAM and Active Directory after being passed through a one-way hash algorithm. This type of algorithm is not reversible. Therefore, the only way to tell if you have the right password is to run it through the same one-way hash algorithm and compare the results. Dictionary attacks run entire dictionaries through the encryption process, looking for matches. They are a simplistic, yet very effective, approach to finding out who's used common words like "password" or "guest" as their account passwords.

  • Social-engineering attacks. These attacks depend on smooth talking: an attacker uses a mix of persuasive skills ("I can't secure this system without your password", claims of authority, and misdirection ("I'm calling from the IT helpdesk") to fool your users into disclosing their passwords. It's hard to put technical solutions in place to stop these attacks (except, as mentioned, by getting rid of passwords altogether.)

  • Network snooping. Network " sniffers " allow attackers to see network traffic in real time. From this traffic, they can pluck out interesting data, including poorly secured passwords. The good news: using strong security protocols like IPSec and Kerberos protects the valuable data by encrypting it, so that the sniffer only records gobbledygook.

  • Trojan horses. Like the name implies, a Trojan horse is a seemingly innocuous piece of software that the user is tricked into running. Once the software has been run, it can attack the network in a variety of ways in the user's context. One of the many things it can do is watch the user's key strokes and send them to a third party. For example, a Trojan can capture a user's password when she types it in to authenticate to a non-domain resource.

How to stop common attacks

Windows 2000 and Windows XP offer a good degree of protection against brute-force attacks and network snooping. Brute-force attacks depend on one of two things: the attacker either has to repetitively try actual passwords, or she has to have a copy of a set of password hashes. Setting reasonable account lockout policies will keep attackers from brute-forcing passwords by testing them on real accounts, while picking strong passwords Setting the correct LMCompatibility Level value will ensure that no hashes are sent over the network, and enabling the Syskey protection tool keeps attackers from being able to use password hashes stolen from the local machine.

Make sure that you're using the appropriate level of compatibility. As long as you're at it, make sure that all of your domain controllers (whether Windows NT or Windows 2000) have Syskey enabled and configured properly.

What about social engineering and Trojan horse attacks? These are harder to stop because they involve your users. To help guard against social engineering attacks, do whatever you can to train your users not to give out their passwords, ever. Make sure they know not to write down their passwords, send them via email, or share them with co-workers. Remind them frequently not to use common words or personal information like the names of their pets, children, or spouses, and that any request for their password should be reported to your IT or corporate security department. That's a lot to remember, so bear in mind that even though they will probably still do these things, you can reduce the incidence of these bad behaviors.

To stave off Trojans, make sure that all your computers have a good, up-to-date virus scanner, since a competent scanner will detect many Trojans before the user can run them. You may also want to consider restricting which programs workstations can run.

Using Windows password policies

Of course, the best way to encourage your users to pick strong passwords is to force them into it. The group policy features of the Windows 2000 Active Directory and Windows XP allow administrators to ensure that strong passwords and safe login policies are being followed on a domain wide level. Because Active Directory policies applied at different levels of the domain hierarchy can be configured to block policy inheritance, it is important to ensure that important domain-wide policies are set to no override which prevents lower level organizational units from overriding their configurations. You control password policies by modifying the

There are two primary components to a good password policy:

Action check the local password policy on your Windows XP computer. Is it strong enough? If you're not sure, review these guidelines. There are detailed instructions for how to change password policy settings, too.

  • The account lockout policy determines how many failed logon attempts the domain controller will accept before locking out the account for a specified period of time. You can configure how many guesses the user gets (Account Lockout Threshold), how long the account will be locked out for (Account Lockout Duration), and how long to wait after a successful logon before resetting the lockout count. Although it's inconvenient to lock out user accounts when users make legitimate mistakes, these policies deter persistent password guessers and more importantly help to foil dictionary attacks that require logging on as the user to test each guessed password.

Action download the Microsoft Baseline Security Analyzer and use it to scan your own computer. Immediately fix any of the password-related problems it reports (like having blank passwords, weak passwords, or passwords that are too short.) Once you've tightened up your own computer, scan a domain controller or workstation and see what kinds of problems it reports—then plan to fix them.