Reaching Password Nirvana

Using password filters and longer passphrases will help keep your passwords from being cracked.

Any administrator would welcome a set of crack-proof passwords for all users. Such password nirvana doesn't exist, of course, but there are tools and tricks at your disposal to help you come pretty close.

It's no secret that the best way to increase the crack time for a password is to increase the password's complexity. While you can—and should—encourage your users to employ complex passwords (see the Tip Box), the trick is ensuring that they actually do it.

The most well-known way to do that is to use the Account Policies located in every Group Policy Object. Here you can configure the following password rules:

  • Minimum length: Increase to at least 14 characters.
  • Minimum age: Needs to be at least one day. This is to ensure that users can't "cycle" through the password history in minutes to get back to their original password.
  • Maximum age: Set at no more than 45 days.
  • History: Set at a minimum of 24 passwords remembered.
  • Password complexity: While this setting should be enabled, using a custom password filter is an even better solution.

A custom password filter, which can check the password for almost any rule you may want to enforce, moves your password policy to the next level. The Windows password complexity setting, for example, requires only three different types of characters. Your custom password filter could require at least one of each of the five different types of characters (upper case, lower case, numeric, non-alphanumeric [such as $, %, &] and UNICODE characters).

Tip Box

In addition to using passphrases, here are some other ways to increase password complexity:

• Use spaces, to make it hard for the cracker to determine the character string.

• Add additional characters. A mediocre password such as PorscheCarerra4 becomes a very good one when it's spelled PorscheCarerra4AAAAA.

• New passwords should be significantly different from old passwords, to ensure that any cracked password can't be modified slightly to get the new password.

The problem is complex passwords are more difficult for users to remember, which may encourage them to do the unthinkable: write their passwords down on the proverbial sticky note. On top of that, new tools like Rainbow Crack leverage pre-generated hash tables to crack passwords; even long, complex ones that use myriad non-alphanumeric characters.

A better option is to use a password filter to force users to create passwords even longer than the default Windows Password Policy of 14 characters. The trick now becomes getting users to think not about passwords, but passphrases. A passphrase like "I live in Phoenix and love the dry heat," is simple to remember yet more secure than a password such as Ph03nLx, which can be cracked with Rainbow Crack in only a few seconds.

Another way to ensure passwords aren't cracked is to eliminate from your computers weaker password hashes that can be easily cracked, such as the LAN Manager (LM) hash stored on most Windows computers by default. To remove the LM password hash, you need to configure the LAN Manager options in a GPO, which will update the Registry for the NoLMHash value. As a side note, if you use long passwords, there will be no LM hash, because it only supports passwords that have 14 or fewer characters.

You should also make sure that clients don't send the LM hash across the network in an attempt to authenticate, which they can do even if you remove the hash from the client PC. Likewise, you do not want domain controllers to accept LM hash authentication requests from clients. To configure this setting, use a GPO and configure the LAN manager authentication level, choosing the two options that include "refuse LM."

The combination of password filters and longer passwords can go a long way toward helping you reach password nirvana. Just remember that longer passwords are stronger passwords, while passphrases are easier to remember and harder to crack.

More Information

Increasing Password Security on a Single Member Server

If you want to increase the password security on just a single member server, you won’t want to do this in the local Group Policy Object (GPO) of the member server. The local GPO is modified by the Default Domain Policy, which also configures the password policies. Instead, you will need to configure a GPO linked to the organizational unit where the member server computer account resides. The GPOs linked to OUs override GPOs linked at the domain level. This will give you the ability to increase the password security on the member server.

More Information on Rainbow Crack

About the Author

Derek Melber (MCSE, MVP, CISM) is president of BrainCore.Net AZ, Inc., as well as an independent consultant and speaker, as well as author of many IT books. Derek educates and evangelizes Microsoft technology, focusing on Active Directory, Group Policy, security and desktop management. As one of only 8 MVPs in the world on Group Policy, Derek’s company is often called upon to develop end-to-end solutions regarding Group Policy for companies. Derek is the author of the The Group Policy Resource Kit by MSPress, which is the defacto book on the subject.

Featured