NT4 User Passwords

by Johannes Helmig [Published on 30 June 1999 / Last Updated on 30 June 1999]

When you have worked on a Windows95 system, you did not pay too much attention to User-names and Passwords (unless you were connected to an office-server) ( for example: if you did forget the password, you just login without Username and password (selecting "Cancel" / "Esc" in the Login window) and then deleting the PWL-file, allowing you than to enter on the next Login your old Username and to define a new Password).

both Usernames and Passwords are NOT case-sensitive
("test", "TEST", "Test", "tesT" would be all the same Username or password)

Windows NT4:
- Username are on Windows NT4 not case-sentitive
- Passwords are case-sensitive:
("test","TEST","Test","tesT","teSt" are all different passwords for Windows NT4 !)

But we are now working on NT, you need to use the User-Manager to define new User and to change Passwords.
And since NT allows you to run a secure system, NT offers you additional options for managing password ( since in most environments, it is only a question of time, until a password is known by unauthorized people, so methods need to be implemented to prevent passwords to become known)

Select in the NT User-Manager in the menu:
"Policies" / "Account"

1) Maximum Password Age
Since it is only a question of time, before a password becomes known to other people, NT can force the users to change the password after a predefined time , it is also possible to define a minimum time before a password can be changed again, see 2).

3) Minimum Password Length
Do you allow a 'blank' password or any length ? Not much security, since most people will simply use their initials as password, and any intruder will always first try no password (= 'Blank' password) or the initials.
In a secure environment, passwords should be at least 5, better 7 characters in length.

4) Password Uniqueness
- You force the usage of passwords ?
- You enforce the password to be changed after x days ?
And what are the lazy users doing: they use always the same two password (most probably the name of your partner [wife/husband] and of your children) and then just change between these two passwords back and forward ( so, once a password gets known, it can be re-used again by an intruder after some days).
To prevent this, the system can memorize the last 'X' passwords and will then insist, that a new password is defined, which was not already used in the recent past. In a secure environment, it should be set to a high value (last 10 or more)

5) Account lockout
Somebody tries to break into your NT-system, he has your username and he is guessing your password, trying:
- your birthday
- your partners first name
- your partners birthday
- your children's names
- your children's birthdays
(are you using one of these ? Don ' t !)
With sufficient time, the intruder will succeed in a lot of cases
( especially if the attempt of breaking in is made via a program, which uses a dictionary of thousands of words trying them all as your password)

Therefore, a user-account should be locked after 'X' bad logon attempts.
You can define the limit of attempts within a time-frame, before the system resets the counter for such attempts. Usually, you have 3 attempts within 30 min or an hour)

6) Lockout Duration
you had an intruder trying to break into your system (or even worse: you did not remember your own password and made a few guesses) and NT locked your account: how long ?
In low-security environments: an account is usually locked for 1-2 hours, then it becomes automatically accessible again (unless you talk to the Administrator and he/she unlocks the account manually).
But in high-security environments: an account will be locked permanently, you will be required to contact your Administrator, get most probably a lecture on "Security and how important it is" and then the Administrator will unlock the account, enabling you again to login.

Suggestion for passwords:
- a length of minimum 6 characters
- define some characters as Uppercase (on an NT4-system)
- make it combinations, like: <word1><delimiter><word2>
where word1 and word2 can be : names, dates, things
and delimiter is: +, - , @, #, _, *, %, any special non-alphanumeric character
(and on changing the password, use a DIFFERENT delimiter).
Passwords like: "oakTree-12dEc55" can be easy to remember, but are almost impossible to guess and intruders with a dictionary have almost no chance to find them.

What about this check-box in the User-manager:
(1) "Password Never Expires"
Although you may have defined in the polices (see above) a maximum age for a password, putting a checkmark on "Password Never Expires" overrules the policy.
That is very handy for automated system, which boot and login automatically, and then run processes, all without any operator intervention. Such system must be able to boot and login without any operation activity, as in can happen after loosing and regaining power.

What about this check-box in the User-manager:
(2) "User Must Change Password at next Logon"
If you as the Administrator have defined a new User, defining a password and did UN-check this option, then you as the Administrator know the password of this user, which is a violation of security (because even on a system with NTFS-filesystem and ownership of files, you are able to view/use files of this user).
Put the check-mark on "User Must Change password at Next Logon"
On the next (maybe the first) Logon (in this example from a Windows95 system to an NT-Domain Server):

after loging in with the current password, a message is displayed:

and you need to define a new password:

and now even the Administrator does NOT know anymore the password for this user and is NOT anymore able to view/read files owned by the user on an NTFS-filesystem (unless taking explicitly the Ownership).
To avoid conflict with the Windows95 Windows-Logon on changing the Network password: Windows9x: Changing Network Password

See Also

Featured Links