Strong passwords

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Strong passwords

The role that passwords play in securing an organization's network is often underestimated and overlooked. Passwords provide the first line of defense against unauthorized access to your organization. The Microsoft® Windows Server 2003 family has a new feature that checks the complexity of the password for the Administrator account during setup of the operating system. If the password is blank or does not meet complexity requirements, the Windows Setup dialog box appears, warning you of the dangers of not using a strong password for the Administrator account. If you leave this password blank, you will not be able to access this account over the network.

Weak passwords provide attackers with easy access to your computers and network, while strong passwords are considerably harder to crack, even with the password-cracking software that is available today. Password-cracking tools continue to improve, and the computers that are used to crack passwords are more powerful than ever. Password-cracking software uses one of three approaches: intelligent guessing, dictionary attacks, and brute-force automated attacks that try every possible combination of characters. Given enough time, the automated method can crack any password. However, strong passwords are much harder to crack than weak passwords. A secure computer has strong passwords for all user accounts.

A weak password:

  • Is no password at all.

  • Contains your user name, real name, or company name.

  • Contains a complete dictionary word. For example, Password is a weak password.

A strong password:

  • Is at least seven characters long.

  • Does not contain your user name, real name, or company name.

  • Does not contain a complete dictionary word.

  • Is significantly different from previous passwords. Passwords that increment (Password1, Password2, Password3 ...) are not strong.

  • Contains characters from each of the following four groups:

Group Examples

Uppercase letters

A, B, C …

Lowercase letters

a, b, c …

Numerals

0, 1,2, 3, 4, 5, 6, 7, 8, 9

Symbols found on the keyboard (all keyboard characters not defined as letters or numerals)

` ~ ! @ # $ % ^ & * ( ) _ + - = { } | \ : " ; ' < > ? , . /

An example of a strong password is J*p2leO4>F.

A password can meet most of the criteria of a strong password but still be rather weak. For example, Hello2U! is a relatively weak password even though it meets most of the criteria for a strong password and also meets the complexity requirements of password policy. H!elZl2o is a strong password because the dictionary word is interspersed with symbols, numbers, and other letters. It is important to educate users about the benefits of using strong passwords and to teach them how to create passwords that are actually strong.

You can create passwords that contain characters from the extended ASCII character set. Using extended ASCII characters increases the number of characters that you can choose when you create a password. As a result, it might take more time for password-cracking software to crack passwords that contain these extended ASCII characters than it does to crack other passwords. Before using extended ASCII characters in your password, test them thoroughly to make sure that passwords containing extended ASCII characters are compatible with the applications that your organization uses. Be especially cautious about using extended ASCII characters in passwords if your organization uses several different operating systems.

You can find extended ASCII characters in Character Map. Some extended ASCII characters should not be used in passwords. Do not use a character if a keystroke is not defined for it in the lower-right corner of the Character Map dialog box. For more information about how to use Character Map, see Using Character Map.

Examples of passwords that contain characters from the extended ASCII character set are kUµ!¶0o and Wf©$0k#»g¤5ªrd.

You can implement a password policy setting that enforces password complexity requirements. For more information about this policy setting, see Passwords must meet complexity requirements. For information about how to apply a password policy, see Apply or modify password policy.

Windows passwords can be up to 127 characters long. However, if you are on a network that also has computers running Windows 95 or Windows 98, consider using passwords that are not longer than 14 characters. Windows 95 and Windows 98 support passwords of up to 14 characters. If your password is longer, you might not be able to log on to your network from those computers.

For more information about passwords, see Passwords.