- The Windows 2000\XP\.NET Resource Index
Home | About Us | Search

Last Updated December 16, 2003

Windows 2003
Windows 2000
Windows XP
Book Reviews
Career Tools
Device Drivers
Hardware Guides
MCSE Toolkit
Service Packs
  Articles & Whitepapers
  Books on Security
  Disaster Recovery
  FAQ's & Tutorials
  Incident Response
  Intrusion Detection
  Legal Resources
  Online Seminars
  Password Security
  Penetration Testing
  Security Links
  Securing Networks
  Social Engineering



Password Security

Having (and enforcing) a strong password policy is a basic step that is often overlooked. In random audits of corporate networks, we've found that almost 30% of user passwords are ridiculously easy to guess and appear in any hacker's dictionary. Strict password policies can also be a double edged sword - make them too strong and your users will begin writing their passwords on sticky notes and keeping them in their desk drawers, under mousepads, or taped to the bottom of the keyboard. They can also flood your help desk with requests to reset forgotten passwords. 
Related Links on this site
Password Management
Resources for administration and troubleshooting passwords.
Password Utilities
Freeware and shareware Utilities for generating and securely storing passwords
Where to Start...

Computer passwords reveal workers' secrets
Many office workers give themselves away with easily guessable passwords. Choosing a PC password has largely become a psychology test, with most office workers choosing a word that they believe to sum up their personality. Only the  smallest group (about 9 percent of the total) are the most security conscious and select passwords which mix lower and upper case letters, numbers and punctuation, to create cryptic passwords. 

Enabling Strong Password Functionality in Windows 2000
Microsoft Knowledge Base Article: 225230 - Windows 2000 Server includes the strong password functionality first provided in Microsoft Windows NT Server 4.0 Service Pack 2 (SP2). For additional information about the scope of default strong password functionality, please see the following article in the Microsoft Knowledge Base. Q161990 How to Enable Strong Password Functionality in Windows NT

Implementing Guidelines for Strong Passwords
Adopting strong password policies is one of the most effective ways to ensure system security. This is only an example policy. It may not be strong enough for your needs; it is up to each customer to determine how strong is strong enough. Source:

Passwords 101: Ten tips to help you tighten Windows NT's security
Common sense advice on making sure your password policies are tough enough to discourage would be hackers. Source: Windows NT Professional Magazine (March 1998)

Article by Paul Robichaux - I'm going to let you in on a secret that's little discussed outside the security world: reusable passwords are evil. This might seem like an extreme position, but I can back it up. Source: Microsoft TechNet (Feb 2000)

Password Defense
Setting and enforcing password security policies is a crucial part of securing your enterprise. Source: Windows & .NET Magazine (September 2002)

Password Policies
The default password policy that ships with Win2000 (much like in WinNT), can best be described as "weak."  A computer system -- along with its data -- are only as secure as the password of the users who access it, particularly users with admin level permissions.  For this reason, if good password security is a concern, you should definitely tighten this policy up. Source:

Password Protection for Administrators' Workstations
We applied a GPO to all user accounts in the Admins OU to secure administrators' workstations with password protected screen savers. We did this to help prevent passersby from gaining administrative access to the network whenever administrators' workstations are left unattended. Source:

Standard Security Practices for Windows NT
Microsoft Knowledge Base Article: 166992 - Any security breach that requires access to administrative privileges needs to be dealt with using the appropriate security policy. This applies to all commercial operating systems, including Windows NT and UNIX. (updated 10/26/2000)

Stronger Passwords Aren't
In the real world, an eight-character mixed alphanumeric password is no more secure than a simple four-character password according to Peter Tippett. If you want to cut costs and solve problems, think clearly about the vulnerability, threat and cost of each risk, as well as the costs of the purported mitigation. Source: InfoSecurity Magzine

Ten Windows Password Myths
With all of our advances in security technology, one aspect remains constant: passwords still play a central role in system security. The problem is that as creative as humans are, we are way too predictable. If I asked you to make a list of totally random words, inevitably some sort of pattern will emerge in your list. This article is meant to bring you closer to understanding passwords in Windows 2000 and XP by addressing common password myths. Source: SecurityFocus

Win2K Password Protection 
Win2K's password protection is stronger than NT's, but backward compatibility can leave Win2K systems vulnerable. Source: Windows & .NET Magazine (Winter 2000) - subscription ID may be required.

Generating Complex Passwords
The Encyclopedia Mythica
An online encyclopedia of mythology, folklore, and legend with over 5,700 definitions of gods and goddesses, supernatural beings and legendary creatures and monsters from all over the world. Makes a great reference for generating computer/server names, project codenames, hard to guess passwords, and a unique test user list for computer labs.

Entire contents
© 1999-2003 and TechTarget
All rights reserved

This site and its contents are Copyright 1999-2003 by Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with The products referenced in this site are provided by parties other than makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.