Share via


Password Best practices

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Best practices

Create an extensive defense model.

  • Educate your users about how to best protect their accounts from unauthorized attacks. For more information, see Encourage your users to follow best practices for password protection.

  • Use the system key utility (Syskey) on computers throughout your network. The system key utility uses strong encryption techniques to secure account password information that is stored in the Security Accounts Manager (SAM) database.

    For more information about the system key utility, see The system key utility. For information about how to create or update a system key, see Create or update a system key.

  • Define password policy that ensures that every user is following the password guidelines that you decide are appropriate. For more information, see Define password policy so that all user accounts are protected with strong passwords.

  • Consider whether implementing account lockout policy is appropriate for your organization. For information about the risks involved in applying account lockout policy, see Be cautious when defining account lockout policy.

Encourage your users to follow best practices for password protection.

  • Always use strong passwords. For more information, see Strong passwords.

  • If passwords must be written down on a piece of paper, store the paper in a secure place and destroy it when it is no longer needed.

  • Never share passwords with anyone.

  • Use different passwords for all user accounts.

  • Change passwords immediately if they may have been compromised.

  • Be careful about where passwords are saved on computers. Some dialog boxes, such as those for remote access and other telephone connections, present an option to save or remember a password. Selecting this option poses a potential security threat.

Define password policy so that all user accounts are protected with strong passwords.

  • Define the Enforce password history policy setting so that several previous passwords are remembered. With this policy setting, users cannot use the same password when their password expires.

  • Define the Maximum password age policy setting so that passwords expire as often as necessary for your environment, typically, every 30 to 90 days. With this policy setting, if an attacker cracks a password, the attacker only has access to the network until the password expires.

  • Define the Minimum password age policy setting so that passwords cannot be changed until they are more than a certain number of days old. This policy setting works in combination with the Enforce password history policy setting. If a minimum password age is defined, users cannot repeatedly change their passwords to get around the Enforce password history policy setting and then use their original password. Users must wait the specified number of days to change their passwords.

  • Define a Minimum password length policy setting so that passwords must consist of at least a specified number of characters. Long passwords--seven or more characters--are usually stronger than short ones. With this policy setting, users cannot use blank passwords, and they have to create passwords that are a certain number of characters long.

  • Enable the Password must meet complexity requirements policy setting. This policy setting checks all new passwords to ensure that they meet basic strong password requirements. For a full list of these requirements, see Passwords must meet complexity requirements.

  • For information about how to apply or modify these policy settings, see Apply or modify password policy. For information about each of these policy settings, see Password Policy.

Be cautious when defining account lockout policy.

  • Account lockout policy should not be applied haphazardly. While you increase the probability of thwarting an unauthorized attack on your organization with account lockout policy, you can also unintentionally lock out authorized users, which can be quite costly for your organization.

  • If you decide to apply account lockout policy, set the Account lockout threshold policy setting to a high enough number that authorized users are not locked out of their user accounts simply because they mistype a password.

  • Authorized users can be locked out if they change their passwords on one computer, but not on another computer. The computer that is still using the old password will continuously attempt to authenticate the user with the wrong password, and it will eventually lock out the user account. This might be a costly consequence of defining account lockout policy, because the authorized users cannot access network resources until their accounts are restored. This issue does not exist for organizations that only use domain controllers that are running Windows Server 2003 family operating systems.

  • For more information about account lockout policy, see Account lockout policy overview. For information about how to apply or modify account lockout policy, see Apply or modify account lockout policy.