Tips and Tricks
Reaching Password Nirvana
Using password filters and longer passphrases will help keep your passwords from being cracked.
Any administrator would welcome a set of crack-proof passwords for all users.
Such password nirvana doesn't exist, of course, but there are tools and tricks
at your disposal to help you come pretty close.
It's no secret that the best way to increase the crack time for a password
is to increase the password's complexity. While you can—and should—encourage
your users to employ complex passwords (see the Tip Box),
the trick is ensuring that they actually do it.
The most well-known way to do that is to use the Account Policies located
in every Group Policy Object. Here you can configure the following password
- Minimum length: Increase to at least 14 characters.
- Minimum age: Needs to be at least one day. This is to ensure that users
can't "cycle" through the password history in minutes to get back to their
- Maximum age: Set at no more than 45 days.
- History: Set at a minimum of 24 passwords remembered.
- Password complexity: While this setting should be enabled, using a custom
password filter is an even better solution.
A custom password filter, which can check the password for almost any rule
you may want to enforce, moves your password policy to the next level. The Windows
password complexity setting, for example, requires only three different types
of characters. Your custom password filter could require at least one of each
of the five different types of characters (upper case, lower case, numeric,
non-alphanumeric [such as $, %, &] and UNICODE characters).
addition to using passphrases, here are some other ways to
increase password complexity:
• Use spaces, to make it hard
for the cracker to determine the character string.
• Add additional characters.
A mediocre password such as PorscheCarerra4 becomes a very
good one when it's spelled PorscheCarerra4AAAAA.
• New passwords should be significantly
different from old passwords, to ensure that any cracked password
can't be modified slightly to get the new password.
The problem is complex passwords are more difficult for users to remember,
which may encourage them to do the unthinkable: write their passwords down on
the proverbial sticky note. On top of that, new tools like Rainbow Crack leverage
pre-generated hash tables to crack passwords; even long, complex ones that use
myriad non-alphanumeric characters.
A better option is to use a password filter to force users to create passwords
even longer than the default Windows Password Policy of 14 characters. The trick
now becomes getting users to think not about passwords, but passphrases. A passphrase
like "I live in Phoenix and love the dry heat," is simple to remember yet more
secure than a password such as Ph03nLx, which can be cracked with Rainbow Crack
in only a few seconds.
Another way to ensure passwords aren't cracked is to eliminate from your computers
weaker password hashes that can be easily cracked, such as the LAN Manager (LM)
hash stored on most Windows computers by default. To remove the LM password
hash, you need to configure the LAN Manager options in a GPO, which will update
the Registry for the NoLMHash value. As a side note, if you use long passwords,
there will be no LM hash, because it only supports passwords that have 14 or
You should also make sure that clients don't send the LM hash across the network
in an attempt to authenticate, which they can do even if you remove the hash
from the client PC. Likewise, you do not want domain controllers to accept LM
hash authentication requests from clients. To configure this setting, use a
GPO and configure the LAN manager authentication level, choosing the two options
that include "refuse LM."
The combination of password filters and longer passwords can go a long way
toward helping you reach password nirvana. Just remember that longer passwords
are stronger passwords, while passphrases are easier to remember and harder
Increasing Password Security on a Single Member
If you want to increase the password security on just a single member server,
you won’t want to do this in the local Group Policy Object (GPO) of the
member server. The local GPO is modified by the Default Domain Policy, which
also configures the password policies. Instead, you will need to configure a
GPO linked to the organizational unit where the member server computer account
resides. The GPOs linked to OUs override GPOs linked at the domain level. This
will give you the ability to increase the password security on the member server.
More Information on Rainbow Crack
Derek Melber (MCSE, MVP, CISM) is president of BrainCore.Net AZ, Inc., as well as an independent consultant and speaker, as well as author of many IT books. Derek educates and evangelizes Microsoft technology, focusing on Active Directory, Group Policy, security and desktop management. As one of only 8 MVPs in the world on Group Policy, Derek’s company is often called upon to develop end-to-end solutions regarding Group Policy for companies. Derek is the author of the The Group Policy Resource Kit by MSPress, which is the defacto book on the subject.