Establishing Account And Password Requirements For Information Security

By Author: Sarah Jones
Total Articles: 60
Comment this article

Guidelines for Designing a Strong Password Policy
There are many recommendations for the Windows XP Professionalsettings that can be made in the physical password policy. Which one should be chosen and why? Follow these guidelines when designing password policy:
Consider the restrictions placed on authentication algorithms.If LM is refused and an LM password hash is not stored in the password database, pass-words are harder to crack. Where LM passwords are allowed and stored, longer passwords can be used to negate the ease of cracking LM.
Require the use of complex passwords. Leave the password policy Passwords Must Meet Complexity Requirements enabled.
Consider the history requirement and the maximum password age requirement together. Setting a maximum password age of 30 days and a
password history of 12 might allow a user to create a favorite password for each month of the year—something like "CococoOl, Cococo02, Cococo03, and so on,"
where the number in the password represents the month of the year. These passwords are complex ...
... by the complexity standard and are different, but by knowing
one of them just as the user does, an attacker can figure out what the policy is on MCP certification
almost every clay of the year. (On the other days, she is only a digit away from success. Two guesses are all that's necessary.Set an account lock out policy. But don't make your settings so restrictive that the average person can lock himself out by simply fumble-fingering his password a couple of times. More information about this subject is included in the topic that follows.
Consider the history requirements and the minimum password age requirement together. Setting a history requirement does no good if the user does not have to wait before changing her password. The user can just cycle through as many passwords as necessary to return to her favorite previously used
password. If a minimum password age requirement is used, the user can still cycle passwords but must do so over an extended period of time. For most users, this will not be attempted.
Do not enable Store Passwords Using Reversible Encryption unless you have a specific business reason to do so. If you must provide access to users
who must use systems that cannot use the Windows algorithm, provide this access by using the setting on the individual user account.Do set, or leave on, the security option Prompt User To Change Password Before Expiration. Most people find it easier to change passwords before they absolutely must do so. If this setting is not enabled, users are not warned and will suddenly have to change their password. This might
free Microsoft exam questionsresult in them having to do so under stress.