User passwords vs. administrator passwords

A general user account can get away with a less complex password than an administrator; an admin account should be longer and more random in nature. Since administrators have more powerful accounts, they are a greater target for some attacks. This is not to say that a general user is not a target. They always are, as they tend to have weaker passwords.

Always make any regular password at least 8 to 10 characters long, include upper and lower case letters, as well as numbers and punctuation. Administrative passwords should be longer, more complex, and changed often.

Password aging

Different companies have different business rules for how long a password can ‘live’. This should be different for different types of accounts. Getting general users to change their passwords monthly is only going to encourage weak passwords (tammy1, tammy2, tammy3) as they try to circumvent the extra work of creating and remembering new passwords all the time.

Administrator accounts, however, have more responsibility, and therefore should be changed more often.

When an account password is aging, it is always a good idea to have a grace period. If you log in during a meeting and your system says it’s time to change your password (NOW!) you are not going to have the time or frame of mind to come up with a decent, memorable password. You might type in some jibberish and write it down, and swear under your breath that this always happends at a bad time, as you have a meeting to run.

A grace period of 3 to 5 log ins will fix that. The user knows that it’s time to start thinking of a new password, but they are given some time to think about it.

Give passwords to users or let them make their own?

Do not reuse passwords

Your system should track user passwords, and not let a password ever be reused once it expires. In addition, it should track for variations that are too similar. For example, if an account had T0my2Tone for a password that expired, the would not be allowed to use T0my2Tone2000 later, as it is too similar.

No identifiable information in a password

Passwords should never be based on anything that is related to them. They should not use anything like their account or server name, username, personal information

Longer passpharses

Another approach that some people take is a passphrase. You might choose a sentence like Happy Birthday, Mr. President and then mess it up a little bit with a date or something like H@pyB1rthDAY,_mr.PREsident!-19May1962.

Other resources:

http://www.microsoft.com/technet/security/smallbusiness/prodtech/WindowsXP/select_sec_passwords.mspx