NT4 User Passwords
When you have worked on a Windows95 system, you
did not pay too much attention to User-names and Passwords
(unless you were connected to an office-server) ( for example: if you did forget the password, you
just login without Username and password (selecting
"Cancel" / "Esc" in the Login window) and
then deleting the PWL-file, allowing you than to enter on the
next Login your old Username and to define a new Password).
both Usernames and Passwords are NOT case-sensitive
"Test", "tesT" would be all the same
Username or password)
- Username are on Windows NT4 not case-sentitive
- Passwords are case-sensitive:
are all different passwords for Windows NT4 !)
But we are now working on NT, you need to use
the User-Manager to define new User and to change Passwords.
And since NT allows you to run a secure
system, NT offers you additional options for managing password ( since in most environments, it is only a question
of time, until a password is known by unauthorized people, so
methods need to be implemented to prevent passwords to become
1) Maximum Password
Since it is only a question of time, before a password becomes
known to other people, NT can force the users to change the
password after a predefined time , it is also possible to define
a minimum time before a password can be changed again, see 2).
3) Minimum Password Length
Do you allow a 'blank' password or any length ? Not much
security, since most people will simply use their initials as
password, and any intruder will always first try no password (=
'Blank' password) or the initials.
In a secure environment, passwords should be at least 5, better 7
characters in length.
4) Password Uniqueness
- You force the usage of passwords ?
- You enforce the password to be changed after x days ?
And what are the lazy users doing: they use always the same two
password (most probably the name of
your partner [wife/husband] and of your children) and then just change between these two passwords back
and forward ( so, once a password gets
known, it can be re-used again by an intruder after some days).
To prevent this, the system can memorize the last 'X' passwords
and will then insist, that a new password is defined, which was
not already used in the recent past. In a secure environment, it
should be set to a high value (last 10 or more)
Somebody tries to break into your NT-system, he has your username
and he is guessing your password, trying:
- your birthday
- your partners first name
- your partners birthday
- your children's names
- your children's birthdays
(are you using one of these ?
Don ' t !)
With sufficient time, the intruder will succeed in a lot of cases
( especially if the attempt of breaking in is made via a program,
which uses a dictionary of thousands of words trying them all as
Therefore, a user-account should be locked after 'X' bad logon
You can define the limit of attempts within a time-frame, before
the system resets the counter for such attempts. Usually, you
have 3 attempts within 30 min or an hour)
6) Lockout Duration
you had an intruder trying to break into your system (or even
worse: you did not remember your own password and made a few
guesses) and NT locked your account: how long ?
In low-security environments: an account is usually locked for
1-2 hours, then it becomes automatically accessible again (unless
you talk to the Administrator and he/she unlocks the account
But in high-security environments: an account will be locked
permanently, you will be required to contact your Administrator,
get most probably a lecture on "Security and how important
it is" and then the Administrator will unlock the account,
enabling you again to login.
Suggestion for passwords:
- a length of minimum 6 characters
- define some characters as Uppercase (on an NT4-system)
- make it combinations, like:
where word1 and word2 can be : names, dates, things
and delimiter is: +, - , @, #, _, *, %, any special
(and on changing the password, use a
Passwords like: "oakTree-12dEc55"
can be easy to remember, but are almost impossible to guess and
intruders with a dictionary have almost no chance to find them.
What about this check-box in the User-manager:
(1) "Password Never Expires"
Although you may have defined in the polices (see above) a
maximum age for a password, putting a checkmark on "Password
Never Expires" overrules the policy.
That is very handy for automated
system, which boot and login automatically, and then run
processes, all without any operator intervention. Such system
must be able to boot and login without any operation activity, as
in can happen after loosing and regaining power.
What about this check-box in the User-manager:
(2) "User Must Change Password at next Logon"
If you as the Administrator have defined a new User, defining a
password and did UN-check this option, then you as the
Administrator know the password of this user, which is a
violation of security (because even on
a system with NTFS-filesystem and ownership of files, you are
able to view/use files of this user).
Put the check-mark on "User Must Change password
at Next Logon"
On the next (maybe the first) Logon (in
this example from a Windows95 system to an NT-Domain Server):
after loging in with the current password, a message is
and you need to define a new password:
and now even the Administrator does NOT know anymore the password
for this user and is NOT anymore able to view/read files owned by
the user on an NTFS-filesystem (unless taking explicitly the
To avoid conflict with the Windows95 Windows-Logon on changing
the Network password: Windows9x: Changing Network Password