Passwords

Much advice is given about passwords. We've put a few links in the panel. It doesn't matter how secure and 'unguessable' your password is if you then share it, or write it in an obvious place. You use passwords in connection with many activities in life.

 

 

Spyware

Some 'spyware' installs software to keep track of everything that you type, including passwords, so that's another reason to make sure that you follow carefully the principles set out on the main page of this website. Your passwords give access to all the important things in your life - bank accounts, systems you have paid for, and if they are used by another person without your knowledge, you can lose out badly. If someone can carry out activities in your name - perhaps against your interests - it may cause you embarrassment at the least, or financial loss. Hackers could open credit cards in your name, apply for loans, or pretend to be you in an online chat session.

Password Links

 

The weakest link...

User Passwords are the weakest link in any security system. This guide to good practice will help you to maintain good security, both for you, and for the University if you are a student. Remember, if our systems are compromised we will be forced to isolate them whilst they are purged and cleaned up, reducing their availability to staff and students alike.

Should I write it down... ?

If you can, choose something you can remember without having to write it down. However this should NOT be something that is easily guessed, such as your first name, surname, staff number or nickname. Neither should you use relative's names, pet's names, favourite things or anything else that would be obvious to someone who knows you, or who has taken the time to do some fairly basic research on your background. If you can't remember all your passwords, current thinking suggests it does no harm, indeed it may be a good idea, to write your passwords down - provided you put them in a safe place and/or disguise them. Doing this makes it more likely that you will chose a complex password and (more importantly) that you will use a different password for each organisation and service for which you have an account. That way, if one gets compromised, the others are still safe.

What shall I choose... ?

Choose something as long as possible - remember the longer it is the harder it will be to crack. A password of eight or more characters is significantly more difficult to crack than one of just six.

Choose a phrase or word-stem combination that cannot be found in a dictionary (of any language) or by a spell-checker. Hackers frequently succeed by systematically trying dictionaries and other word lists using an automated program. You could choose the line of a song, poem or similar, and take the first letter from each word. Example "If music be the food of love play on", becomes "Imbtfolpo".

Add non-alphabetical characters (such as 0 to 9 $ _ - etc.) into your password to increase its complexity. But choose these to an easily remembered formula - so that once again you can remember it without writing it down. Please DO NOT use l ", (pipes, double quotes or commas), or any character not found on a standard keyboard.

If you use a mixture of upper and lower case characters, be very sure that you know what you have done or follow a very simple rule, as mixed case words are much harder to remember and to type.

Do not save your password into the Password box of the setup screen since this is a security risk if others have access to your computer or if your computer is stolen.

Choose something that you can type in quickly so that anyone looking over your shoulder is unable to work out what you have typed.

 

Finally...

Last - but not least, remember this is your PERSONAL username and password that provides authorised access to your personal systems and, if you are a student, to University resources.

Understand and Configure the Welcome Screen and Classic Logon Screen
(http://technet.microsoft.com/en-us/magazine/ff394947.aspx)

By default, Windows 7 displays a Welcome screen when a computer is part of a homegroup or workgroup:

and it displays a Logon screen when a computer is part of a domain (the user name has been hidden for security reasons on both screenshots):

If you currently have the 'Welcome screen logon' enabled you should disable it.

The Welcome screen provides a list of accounts on the computer. To log on with one of these accounts, you click the account and type a password (if one is required). Note that the Welcome screen does not display all the accounts that have been created on the computer. Some accounts, such as Administrator, are hidden from view. The Welcome screen is convenient because it displays a list of available accounts. But to enhance security in a homegroup or workgroup, you can use the Logon screen instead of the Welcome screen—therefore not displaying a list of accounts.

The Logon screen requires users to type a logon name rather than selecting an account from a list of available accounts. The Logon screen has several features that you can control. By default, the name of the last user to log on is displayed in the User Name field of the Log On To Windows dialog box. You can improve security by hiding the user name of the last user to log on. Instead, users will need to know a valid account name for the computer. To do this, start the Local Security Policy tool from the Administrative Tools menu or type secpol.msc at an elevated command prompt. Then, under Local Policies\Security Options, double-click Interactive Logon: Do Not Display Last User Name. Click Enabled, and then click OK.

You can configure whether the Welcome screen is used through the Always Use Classic Logon setting in Group Policy. For this, you have the following options:

  • Enable the policy to use the Logon screen rather than the Welcome screen.
  • Disable the policy to use the Welcome screen.
  • Use Not Configured to use the default configuration (the Welcome screen).

In a domain environment, you can use Active Directory-based Group Policy to apply the security configuration you want to a particular set of computers. You can also configure this setting on a per-computer basis by using local security policy. To configure a homegroup or workgroup computer to use the Logon screen rather than the Welcome screen, use the Group Policy Object Editor, which is an MMC snap-in. You can add this snap-in to an empty console and configure a computer to use the Logon screen by following these steps:

1. Click Start, type gpedit.msc, and then press Enter. This opens the Local Group Policy Editor with the top-level Local Group Policy object open for editing.
2. In the editor, expand Local Computer Policy, Computer Configuration, Administrative Templates, System, Logon.
3. Double-click Always Use Classic Logon.
4. Select Enabled, and then click OK.

In a domain, by default users are required to press Ctrl+Alt+Del to access the Log On To Windows dialog box. You can eliminate this requirement, but it is a poor security practice. To do so, in the Local Security Policy tool, expand Local Policies\Security Options, and then double-click Interactive Logon: Do Not Require Ctrl+Alt+Del. Click Enabled, and then click OK. But, we do not advise disabling this option.

From the Microsoft Press book Windows 7 Administrator’s Pocket Consultant by William R. Stanek.