Q: My company wants to enhance the quality of the passwords that users use to log on to our Windows systems. Can you offer some guidelines on which tools and best practices we should use to enhance password quality?
I have three important recommendations for enhancing password quality in a Windows environment: Use the built-in Windows password policies, provide users with guidelines for choosing high-quality passwords, and regularly audit the password quality. These recommendations form your first line of defense against hackers and malicious users trying to exploit the inherent weaknesses of passwords.
Table 1 presents an overview of all password-related Group Policy Object (GPO) settings; the password policy settings are the most important ones. Administrators can use GPOs to centrally control system configuration settings of Windows workstations and servers in a domain environment. Password policy settings, as with any account policy setting, can be defined only on the domain level. You can't enforce a specific password policy for the users in a particular Active Directory (AD) organizational unit (OU) for example.
The most important advice you can give your users is to choose truly random passwords. Tools are available that can help users to choose random passwords. The easiest solution is to let users use the Net User command with the /random switch, as Figure 1 shows for user joe. This command automatically generates a strong random password and assigns it to the user account.
Another solution is to use an online password-generation service, such as the one at http://www.winguides.com/security/password.php, or a standalone password-generation program, such as the one available from http://www.mark.vcn.com/password. A Google search for "password generator" will reveal other similar tools. These password-generation tools typically generate a random password of a length and complexity specified by the user. They also let you generate multiple random passwords in one run. The online password-generation services are accessible for free. Some of the standalone programs you must pay for.
You should also recommend that your users choose passwords that include special characters that can't be detected by password-cracking tools. The 187 special characters that can't be detected are listed at http://sysopt.earthweb.com/articles/win2kpass. To perform basic password quality tests, you can use the Microsoft Baseline Security Analyzer (MBSA). The MBSA tool, which Figure 2 shows, can check for the following password conditions:
- Password is blank.
- Password is the same as the user account name.
- Password is the same as the machine name.
- Password uses the word "password".
- Password uses the word "admin" or "administrator".
MBSA version 1.2.1, the most recent version, also includes a command-line version (mbsacli.exe) that can perform the same checks. For advanced password-quality tests, I recommend that you look at a set of third-party tools that can crack the password hashes Windows stores in the security database (the SAM or AD) and sends across the network during authentication exchanges. These tools aren't just hacking tools: They're also excellent tools to run regular password quality audits on your Windows domains. To run the tools you need administrator privileges on the local system. Popular tools in this space are L0phtcrack and John the Ripper.