Join Lisa Bock for an in-depth discussion in this video Creating strong passwords, part of IT Security Foundations: Operating System Security.
- When authenticating into a system, I can use one of three things. What you know, such as a password, or a passphrase, a PIN, or even a lock combination. Or, what you have, in your hand such as a smart card, a token, or even a dongle. Or what you are, and that would be in the form of a biometric, such as a fingerprint, iris recognition, or voice recognition. Of the three, the password is simple and inexpensive, and even with all of the technologies we use today, will most always be used in some form.
Now what happens when you try to log into a system? When trying to gain access into a system, you present your username stating "who I am." The password verifies who you say you are. Then you're allowed to gain access into the system. Since a password is simply a sequence of characters, it is a weak security mechanism, so steps should be taken to ensure a strong password. Now on the client side, here's what you can do to create a strong password.
Create a password at least eight characters long. We want to use at least three of the following: upper or lowercase letters, numbers, punctuation marks, and symbols. For an even stronger password, we might even use a passphrase. This can be more secure than a password because it's more complex. For example, I use the passphrase LetsGototheballpark, using exclamation points instead of Ls.
On the server side this is used to enforce a complex password. Now the administrator can set all, or any of, these following requirements. I'm in Server 2008, and now I'm going to look at security settings, and the account policies. The password policy will take a look at some of these variables. Enforce password history. In this case I can set the password history to make sure I change it, so it's not similar to the past four passwords remembered.
For example, my password, and I'll use a very simple example for this, would be tiger and it says I have to change my password, and I try to change it to liger. It won't let me because it's too similar to the recent password I just used. I can force a user to change their password after so many days. In this case you see it's 42 days, but I can change it to 60, or 30, or any number that I would like them to change their password to keep them fresh.
In this case I can see that the password can be changed immediately after zero days would they just simply log in and change it that same day. The minimum password length, as you can see is set at zero, but I'm going to just change that to eight so that we keep it consistent. And this is actually where I can just simply say "Meet complexity requirements." Now let's go to where it says "Explain." Here where it says "Password must meet complexity requirements." This security setting determines whether passwords must meet complexity requirements.
If this policy is enabled, the password must meet the following minimum requirements. As you can see, similar to what we just talked about, meaning it's at least six characters in length, contains characters from three of the following four categories; uppercase, lowercase, digits, and non-alphabetic characters. So if I set that, that will truly enforce complexity. And in some cases I might have to store my passwords using reversible encryption, and that setting I would enable at this point.
Note: This training maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals exam (98-367). See https://www.microsoft.com/learning/en-us/exam-98-367.aspx for more information.
- Creating strong passwords
- Understanding biometric security
- Adjusting permission behavior
- Enabling auditing
- OS hardening
- Using the Microsoft Baseline Security Analyzer
- Protecting email