Using Strong Passwords
Enabling the Passwords must meet complexity requirements (aka strong passwords) policy means that the OS helps you maintain security by enforcing rules when users create passwords. When you enable strong passwords, passwords become more difficult to guess and "dictionary attacks," in which software randomly tries passwords in order to break in, are less likely to succeed.
Strong passwords use a device called a notification package, which uses a .dll file that contains password rules. You can't configure the rules that are in Win2K's default notification package, passfilt.dll. However, you can write your own notification package if you want a different set of rules. You'll find the source code for passfilt.dll in the Microsoft article "HOWTO: Password Change Filtering & Notification in Windows NT" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q151082), and you can use it as a model for writing your own .dll file. The .dll source code is the same for Win2K and NT. Passfilt.dll contains the following rules, which apply as users create passwords.
- Passwords must contain at least six characters, and the character string must contain at least three of these four character types: uppercase letters, lowercase letters, numerals, and nonalphanumeric characters (e.g., *, %, &, !).
- Passwords can't contain the user's logon name.
- Passwords can't contain any portion of the user's full name. If users create passwords that don't pass the rules, the OS issues an error message and won't accept the password.
If you enable strong passwords, you need to consider the settings for password uniqueness. Users might have difficulty inventing strong passwords, and some administrators let a user repeat a password after one or two changed passwords. The rationale for this policy is that because the passwords are difficult to crack, security doesn't suffer when users can reuse an old password after only a short amount of time.
Complicated passwords also increase the chances of typing errors when users enter the password during logon. A more common problem is users forgetting characters in their passwords. Users solve this problem in several ways that compromise security, such as by writing their passwords on notes that they affix to their monitors or by leaving themselves notes in unlocked desk drawers.
Administrators who enable the strong password feature do so because they want to apply the maximum password security features available. Forbidding repeated passwords until a large number of intervening passwords are used certainly tightens security. My advice is to implement the strongest security measures at first. If you run into problems because users can't come up with a series of strong passwords, you can lower the specified number of passwords.
Win2K enforces strong password rules only when a user creates a password over the network (i.e., when the user is working on a computer connected to other computers). The strong password rule isn't active when an administrator writes a user password directly to the SAM, so you can open Active Directory Users and Computers and enter a user password that doesn't qualify as a strong password (let's call it a "weak password"). This action lets you enforce strong password rules on a user-by-user basis. If security is of sufficient concern to warrant implementing strong passwords, use this bypass sparingly. Apply it only to users who have secure workstations or low access rights.
If you enter a weak password for a user in AD, the user must use the strong password rules when he or she creates a new password after the specified time for password changes has elapsed. By selecting Password never expires in the user's Properties dialog box, you can let the user continue to use an administrator-assigned weak password. If you have a reason to give the user a new password, create the password yourself in AD to avoid the filters that the rules contain.
Passwords on the Front Line
Password security is a front-line defense in enterprise security. When you use policies that strengthen password security, be sure to notify users about the new password environment and provide easy-to-follow instructions for creating and changing passwords.
Additionally, intruders sometimes use software that helps them crack passwords. If you can obtain a copy of one of these programs, test your passwords by running the software on various computers within your enterprise. If the software cracks any password within 1 minute, ask the user to create a new, more complicated password.