2.6 Password Basics

Passwords are the basis of most security schemes, including Windows Server 2003. Passwords are used by client computers to log on to a domain, and they're also used by users to log on to a domain or to a computer's local user accounts.

In a default Windows Server 2003 environment, passwords are the keys to the entire kingdom. For example, the only difference between an unauthorized intruder and a domain administrator is that the domain administrator knows the password to a powerful user account. For that reason, it's important that you implement procedures and policies that require strong passwords of your users.

2.6.1 What's a Strong Password?

Strong passwords are passwords that are difficult for intruders to guess or successfully duplicate. So, before you can accurately define strong, you need to understand the techniques that an intruder might use to compromise a password.

As I mentioned earlier in this chapter, Windows Server 2003 stores passwords after running them through a one-way hash. That means attackers have no possibility of successfully decrypting a stored password, even if they somehow come into possession of a stored password. If an attacker does manage to obtain a hashed password and knows the hash algorithm (which she will), she must run combinations of passwords through the hash algorithm until she gets a hash result that matches the stored password. Then she'll know the clear-text version of the password. The most common form of this attack is called a dictionary attack, which I described earlier.

Another way attackers can compromise a password is to try and log on to the domain, guessing a new password until the domain lets them in. There are readily available tools that can do this for the attacker rapidly. This technique is often called a brute force attack, because the attacker is simply trying every possible password in a brute attempt to obtain the right one. This technique isn't really that different than the first technique, although an administrator can implement account policies to limit the effectiveness of this attack. If you've also implemented a strong password requirement, the odds that the attacker can guess the right password before being caught or locked out are slim.

Always consider implementing strict account lockout policies within your domain and on the local accounts of individual computers. Account lockout causes the computer (or domain) to disable a user account after a specific number of bad passwords are tried (say, 10 attempts). An attacker attempting to log on by guessing passwords won't get very many guesses before the account is disabled?and useless. You can also configure Windows to leave the account locked out until an administrator takes action, giving you the opportunity to discover why the account was locked out and take protective measures if necessary. For more on account lockout policies, see Chapter 13.

2.6.2 Enforcing Strong Passwords

Strong passwords, therefore, are ones that are especially hard to guess. Words that wouldn't ever appear in a dictionary are good choices, too. The common definition of a strong password is:

  • At least eight characters in length. Fifteen characters or more is best because of the cryptography Windows uses behind the scenes. With passwords, longer is always better.

  • Contains characters from at least three of the following categories:

    • Uppercase letters

    • Lowercase letters

    • Numbers

    • Symbols, punctuation marks, and nonkeyboard characters

  • Changed on a regular basis.

  • Never shared.

So while "doggie" would be a poor password choice, "My:-)Doggie" would be considered a much stronger password, and "ih8!myy0At3m3eL$0" would be very resistant to attacks. Requiring users to change their passwords on a regular basis?every 30 to 60 days?also makes attacks more difficult. I'll further discuss how Windows Server 2003 stores passwords later in this book.

Of course, changing passwords frequently makes it more difficult for users to remember their passwords, making it more likely that they will write them down. Encourage users to use passwords that combine two or more words to form a "pass phrase." Here are some good examples, but please never use these actual passwords (attackers read this book too!):


Notice that the second character of each word is capitalized, making the change in case easier to remember.


This is a good example of letter replacement and "dewd speak"?replacing letters with numbers that look similar and mixing upper- and lowercase. Pronounced out loud (at least by me) it says "Kleo is a nice kitty," which is easy to remember. Also, this scheme might help the crazy cat lady type who has numerous pets, as she could simply replace Kleo's name at the beginning of the string with another one at the next password change. Another benefit of this password is that it's large enough to present any attacker with a difficult task to decrypt while still remaining relatively easy for the crazy cat lady to memorize.


The first and last letters are capitalized, and two letters (lowercase g) are replaced with @ symbols, a less common substitution. If you have a pet weasel named Tigger, this is a reasonably easy one to remember while being cryptographically difficult to attack.


For a user with the last name of Roberts, this isn't bad. It substitutes meaningless numbers for three of the characters and throws punctuation in the middle. Although a bit short, this is a strong password.

My cat, Lucy, likes to bathe in my presence.

This is a true pass phrase. It's quite long with 44 total characters, which makes it exceedingly difficult to attack with current brute force password attacks. It's also easy for me to remember?in fact, my cat Lucy reminds me of it nightly. And while it seems a bit longish, it's pretty easy to type because it's a sentence. I'm used to typing English sentences with spaces, capitalization, and punctuation. So the length is offset by the natural feel of it.

The trick is to come up with passwords that have some meaning or follow some private pattern, while keeping them nice and complex. The best password in the world is the longest and most complex one that you won't forget.

The strongest password is no good if users divulge them or write them down. Make sure your security policy helps your users understand the necessity of keeping their passwords secret from everyone, including administrators and managers. For rarely used accounts with high privilege, such as Enterprise Admins or Schema Admins, consider generating a complex pseudorandom password and locking it in a safe or perhaps giving portions of the password to multiple administrators for safekeeping.

Windows Server 2003 lets you configure the password policies on your computers' local accounts and in Active Directory. As shown in Figure 2-1, you can configure account lockout policies as well as set a minimum password length, maximum password age, and so on. To configure these policies on a standalone or member server, use the Microsoft Management Console (MMC) Local Security Policy snap-in. A complete example, including portions of a security policy, appears in Chapter 5.

Figure 2-1. Account and password policies

The Local Security Policy snap-in allows you to modify policy for a computer's local accounts. On a domain controller, the Local Security Policy snap-in is unavailable due to the computer's role in the domain.