Join Mike Meyers for an in-depth discussion in this video Passwords and authentication, part of CompTIA A+ (220-902) Cert Prep: 6 Securing Computers.
- I've got the world's greatest computer right here. It's got all my software just the way I like it, and everything's perfect in my connectivity and my web browser, and I love this computer. And the last thing I want is any bad person, or at least person who isn't authorized, to be logging into this computer and potentially doing evil things. So to prevent that, the number one most important thing we've got to be able to do is make strong passwords. For CompTIA, the bottom line is that a password should be about eight characters long, should include upper and lower case characters as well as numbers.
For me, I would want at least 10 characters, upper and lower case, numbers, and special characters like exclamations points and pound signs and things like that. Whatever the case may be, in order for this to work, you've go to make Windows want to do that. You've got to make Windows say, if you're gonna make a password, it has to be strong. And on top of that, you want to be able to track people who are trying to log in, and what are you gonna do if somebody tries logging in four or five times, don't you want to stop 'em? No worries, Windows has all the tools to do that, and it all boils down to your local security policy.
Every version of Windows has it. Let's look at it on Windows 7. You can get to your local security policy the exact same way through every version of Windows. All you need to do is get to your Control Panel, then click on Administrative Tools, and you'll see it right there, Local Security Policy, let's open that guy up. All right, your local security policy sets up all kinds of incredible security stuff. I'm just gonna show you a little bit in terms of protecting your system from people logging into it, but it can go a lot further than that.
But let's start with these 'cause it works out really well. So we'll look under Account Policies, and you'll see we have two sub-folders, Password Policy and Account Lockout Policy. So let's click on Password Policy. Now, there's a couple of things in here. If you look at Password Policy, first of all it'll say Password must meet complexity requirements. My current password does not meet complexity requirements, so if I actually hit OK here, I'm gonna have to re-log in to Windows, so I'm gonna cheat, and right now I'm just gonna say Disabled.
Let me hit Disabled. And it'll actually explain what the complexity requirements are, so it goes into a lot of detail there. So it's a great way if you don't want people to use passwords like 1234, you just turn on this policy, and any time a new user is created or a password is done, they have to make it complex. Here's a minimum password length. Minimum and maximum password age. You can basically say how long can this password be before someone can change it? Enforce password history basically prevents people from using the same password over and over again.
So when they change it, it'll remember how many passwords back you want, you can literally tell 'em, so in this case, I'm gonna say remember the last five passwords. So when they change their password, they won't be able to use any of the last five. so you can do a lot of really cool stuff, and this comes in every version of Windows. So, Account Lockout Policy, this basically means if somebody logs into your computer, how many attempts do they get before they get locked out? So here it says Account lockout threshold is five invalid login attempts.
So after five attempts, they're locked out for 30 minutes. That'll make you really popular as administrator. Now, this third option, Reset account lockout counter after, right now it's set to 30 minutes. That takes a little explaining. You see, every time you login incorrectly, you have an invalid login attempt. So you get up to five. Let's say you logged in three times, and you keep getting it wrong. The problem you have here is that you know, 'cause it's your machine, that if you login two more times you're gonna be locked out for 30 minutes, and you don't want to be locked out for 30 minutes.
So this tells the system how long to wait before you go back to zero attempts. So I'm gonna set this to something more realistic, like five minutes. So now let's say you login four times and it's wrong every time, you know if you log in one more time, you're gonna be locked out for 30 minutes. So how long do you have to wait until you go back to zero? Now I've got it set to five minutes. So this is good for those legitimate people who just don't remember their password.
Now, passwords are great, and passwords are very strong if you do it right within a Windows environment. But sometimes you need more than a password. There's the whole concept of what we call multi-factor authentication. Multi-factor authentication combines a username and password with one of three things, something you know, which would be a username and password, something you have, which could be a key FOB or a smart card or something like that, or something about you, which could be your fingerprint or your retina or something that's unique to you.
So we've already got something you know, which is a username and password, so let's take a look first at biometrics. All right, this is the biggest laptop I've ever seen in my entire life. Anyway, it's got all kinds of features, but the one thing it does have on here, if you see right here, this is a little biometric control device where you just swipe your finger over it and it will memorize your fingerprint. So to use these, they go into two modes. You go into what's called training mode where it trains itself to memorize your fingerprint.
You usually have to do it three or five times, and then you switch it out of training mode, and then every time this computer boots up, it will boot up and you type in your username and password, but then you have to swipe your finger just to login to Windows. Now, fingerprint scanners are fairly common. You'll see them used from time to time, but the A+ actually mentions retinal scanners. I'm sorry that I'm laughing. I've been in the IT industry for 30 years, and I have seen a retinal scanner exactly one time,` and that was at a network operation center in Miami Florida.
Other than that, odds are the only place you're ever gonna see a retinal scanner is if you're playing a game, like, I don't know, say Half Life. Bottom line is that a biometric is always gonna have some aspect of you, whether it's your fingerprint or your retina. They use the wrist, the veins in your wrist. There's all kinds of crazy biometrics that are out there. Biometrics are also a pain, so another alternative that people tend to go with are encryptions that use some kind of key.
The key is known by the organizational group RSA, which is three guys, I can never remember their name. But they use an encryption methodology that uses this key for authentication. So this key could be stored on a key FOB, it could be stored on a smart card, RFID, infrared, I even have it here on this little guy right here, this is my World of Warcraft authenticator. If you actually watch every few seconds, this eight digit code changes. So when I login to World of Warcraft, I actually type in my username and my password, and then I have to type in this eight digit code, and then I'm in, so this has been very very handy.
World of Warcraft was notorious for people hacking accounts, and I logged in a couple of times to find my character's bank completely emptied, and no money in his pockets, and it was pretty upsetting. I use this thing all the time. So the bottom line is, when you're dealing with authentication, remember, a good, strong password, a good local security policy, and if you're really paranoid, some multi-factor authentication will keep the people you don't want on your computer out. (upbeat music)
Security is one of the IT pro's chief concerns, and it's a big domain of the 220-902 exam. This course outlines the basic procedures for securing any computer, covering topics such as physical security, password protection, malware detection and prevention, and firewalls. CompTIA expert Mike Meyers also helps you understand how to dispose of data correctly and respond to security incidents.
After completing this course and the others in the series, you should feel prepared to ace the exam. Find your testing location and schedule a test at https://certification.comptia.org/certifications/a.