Password Quality
You can greatly increase the length of time a hacker needs to crack a password by improving the password's quality. L0phtCrack uses a dictionary to crack one-word passwords in a few seconds, and quality passwords such as Zn5e937o72q204 take only a few days to crack. You can't defeat L0phtCrack's algorithm, so you need to defeat the hacker running the tool.
Make passwords as long as possible with a wide variety of characters. Use 14-character passwords that include mixed-case letters, numbers, symbols, and extended characters that use the ALT-NNNN sequence. (Extended characters can affect compatibility with non-NT systems. Documentation on the problem is sketchy, so I recommend that you test extended characters for compatibility before letting users on non-NT systems include them in passwords for logging on to NT servers.) This strategy increases the number of permutations the algorithm must try before it cracks your hash. Hackers usually start with a small character set to increase cracking speed. If your password uses symbols and extended characters, a hacker's first attempt will probably fail, and the hacker will need to run L0phtCrack using a larger character set, which can take years on a modern PC. The object is to make the intruder lose patience and move on to easier targets. A hacker with enough determination and resources can run a decryption algorithm on multiple machines to reduce the time cracking a password takes, but cracking difficult passwords is prohibitively time-consuming for most hackers. By choosing a long password that uses a range of characters, you can drive hackers to give up before they crack your password or improve the chances that an account's password will change before the hacker cracks the hash.
Password Policy
End users are historically the weakest link in password protection. All the safety precautions I've mentioned won't help if users pick poor passwords such as spouses' names.
NT offers a mechanism for enforcing password policiesnotification packages. A notification package is a simple .dll that NT calls whenever a password changes. Developers can use notification packages to automatically synchronize passwords between an NT network and corresponding accounts in other environments, such as UNIX or NetWare. Notification packages can also reject a password that a user proposes if the password doesn't comply with the notification package's rules. Passfilt.dll, which comes with Service Pack 2 (SP2), is a notification package that enforces rules about password selection, such as password length and the variety of characters passwords use. Passfilt.dll doesn't force users to choose passwords that will take hackers prohibitively long to crack, but you can write a notification package that does. (For more information about passfilt.dll, see Microsoft Support Online articles Q161990, "How to Enable Strong Password Functionality in Windows NT," at http://support.microsoft.com/support/kb/articles/q161/9/90.asp and Q151082, "Password Change Filtering & Notification in Windows NT," at http://support.microsoft.com/support/kb/articles/q151/0/82.asp.)
You might have difficulty convincing users to choose quality passwords, even with controls such as Passfilt. If you can't require everyone to choose 14-character passwords that draw on large character sets, at least require such difficult passwords for administrators, server operators, backup operators, and other critical users. To enforce such a policy, you can create a notification package that enforces different password rules for members of different groups.
Every security-conscious organization needs to define and enforce policies that reflect users' security responsibilities. In addition to standards for password choices, an effective policy needs to address whether users may write down passwords or share passwords with other users and how administrators can determine whether an intruder has accessed an account (by checking the last logon time and monitoring sudden password changes). Administrators also must define procedures for replacing forgotten passwords and for letting technical support personnel log on under other users' accounts to diagnose problems or install software.
Register
