Enforce strong passwords

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

There are several freeware utilities that allow for password changing with rules enforced. I recommend Microsoft's own utilities. The NT Server 4 Resource Kit has a utility, Passprop.exe , that enforces strong passwords. Another choice was introduced in SP2 is a DLL called PASSFILT.DLL, that does basically the same thing. (see AlphanumPwds registry setting below for another option).

Passprop lets you set a policy to require complex passwords which contain a mix of upper and lowercase letters and numbers or symbols (this functionality depends on passfilt.dll). For example, wayne123 would not be acceptable. No uppercase letter.

Passprop can also be used to make the built in administrator's account comply with account lockout policies over the network. By default, the built-in administrator account does not follow lockout policy and as such, is a wonderful target for a dictionary attack. The administrator account can never be locked out at the console. But after the number of bad password attempts set by your account policy, the administrator account will be locked out from remote access until it is unlocked in User Manager. In point of fact, a locked out built in administrator account is normally a strong indication that someone is attempting to penetrate your server or network.

There is a Windows 2000 version of passprop but you can search high and low in the Microsoft KB and not find where it is and how to get it. If you try to use the NT4 version on Windows 2000, the results are inconsistent. The W2K version of passprop.exe is in the NETMGMT.CAB found in either the Windows 2000 Pro Resource Kit or the Windows 2000 Server Resource Kit.

The internal help file:


C:\WINNT>passprop /?
Displays or modifies domain policies for password complexity and
administrator lockout.

PASSPROP [/complex] [/simple] [/adminlockout] [/noadminlockout]

    /complex            Force passwords to be complex, requiring passwords
                        to be a mix of upper and lowercase letters and
                        numbers or symbols.

    /simple             Allow passwords to be simple.

    /adminlockout       Allow the Administrator account to be locked out.
                        The Administrator account can still log on
                        interactively on domain controllers.

    /noadminlockout     Don't allow the administrator account to be locked
                        out.

Windows NT / Windows 2000 / Windows XP will accept anything as a password, including nothing. If you don't want to mess with passprop, you can set AlphanumPwds which forces alphanumeric passwords containing both alpha and numeric characters. It doesn't do anything else about password complexity or other features but its better than the defaults.

Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\Network
Name: AlphanumPwds
Type: REG_DWORD
Value: 1 enabled

Related:

HOWTO: Password Change Filtering & Notification in Windows NT. See Q151082 .

Microsoft introduced Syskey to encrypt password hashes. See atips92.shtml .

Microsoft's Password Best Practices

Don't disable the built-in Administrator account. See atips40 .

If you are really serious, you could write your own Window's NT gina, Graphical Identification and Authentication DLL. The gina controls the authenication process.

See Also

Featured Links