Server Administration - Best Practices
In a Nutshell - CIW Course Section 3, Part A2, Chapter 3
Password Complexity
A well-formed password is deemed to be one that meets the criteria recommended by the Computer Emergency Response Team (CERT) and many leading software providers. This password should conform to the following guidelines:
- Be at least six characters in length
- Contain at least one uppercase character
- Contain at least one lower case character
- Contain at least one digit
- Contain at least one non-alphanumeric character
To ensure that a strong password is used at all times, it is the responsibility of the network administrator to see that adequate policies are in place. These policies may be computer based policies that will enforce the use of strong passwords but it should also involve user training and awareness of the need for observation of the policies.
Password Aging
It is good practice, in addition to password complexity, to ensure that users routinely and regularly change their passwords. Passwords do have a habit of becoming known through time, so changing them regularly helps overcome this.
It's not a policy I am particularly fond of as I have a dreadful memory for passwords. In my line of work I find that I need to keep track of many passwords, so continually changing them would be an onerous task.
Local Account Policy
Most of the above features can be enforced by the local account policy. From the Start menu click:
Programs | Administrative Tools | Local Security Policy
This will display the following screen:
Microsoft being Microsoft have their own interpretation of what constitutes a strong password. They do not err far from the guidelines, requiring that the password meets the minimum length and three of the remaining four conditions.
Maintaining a password history prevents a user from re-using an earlier password. This stops a user simply alternating between two passwords when prompted to make a change.