Windows

Automatically generate and assign strong passwords in Windows XP

In order to keep your system secure, it's important to regularly change passwords. If you're having trouble coming up with a strong password, Windows XP can generate one for you. Greg Shultz shows you how.

Computer users consistently use very simplistic logic when creating passwords. For example, many of us choose meaningful words, personal dates, or a word commonly found in the dictionary because it makes the password easy to remember. These common practices cause us to sacrifice the security that passwords are intended to provide.

If you're really at a loss when it comes to thinking of a strong password, you can let Windows XP create and assign a random password to your account. To let Windows XP generate your password, follow these steps. (Warning: Before you follow these steps, please be sure that you are paying careful attention and are ready to actually use a password that might not be as memorable as you're accustomed to! Also, you cannot use this tip on a Windows Server domain.)

  1. Open a Command Prompt window and type:
    net user username /random (username is your login account name)
  2. Press [Enter]. Windows XP will randomly generate a secure password, as well as assign that strong password to your account. Windows XP will also display the strong password so you can remember it.

At your discretion, you may want to create a Password Reset Disk at this point. This disk will allow you to gain access to your computer in the event you forget your password. Here's how to create the disk:

  1. Open the Control Panel and double-click the User Accounts tool.
  2. Click your account icon.
  3. Select Prevent A Forgotten Password under Related Tasks.
  4. Follow the instructions provided by the wizard.

Note: This tip applies to both Windows XP Home and Windows XP Professional systems in either a standalone or peer-to-peer workgroup configuration.

Miss a tip?

Check out the Windows XP archive, and catch up on our most recent Windows XP tips.

Stay on top of the latest XP tips and tricks with our free Windows XP newsletter, delivered each Thursday. Automatically sign up today!

About

Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.

63 comments
AbbyD
AbbyD

There is another way to create strong passwords and it's very easy to remember, too. I am not a computer pro but I read a lot and years ago I read of a foolproof password code that was very easy to use. All you do is add at least one symbol to the password sequence in ASCII code. For instance the Heart symbol ♥ in ASCII is Alt + 3. Hold down the Alt key and hit the number 3 on the number keypad. This combination of two keystrokes produces a single entry in the password field and can be added to common alpha/numeric entries. I have been told it cannot be broken. I can see a lot of guys creating passwords such as: "I♥Mary" or whoever your significant other may be.

deyamag
deyamag

A new datum, thank you.

cynic 53
cynic 53

The problem here is that people think in words rather than numbers or symbols, dates of birth, phone and payroll numbers excepted. Let them chose their own passwords and change them as often as deemed necessary and you have some degree of safety. However if the system forces something from the Planet Xarg on them such as %5Op^zlf they will either forget it quickly and lock themselves out of their PC, or write it down somewhere. That is fine if in a diary or pocket book kept on their person or in their purse but many will write it on a pad left in their desk drawer or or even on their desk for anyone to see. A common-sense approach is needed. In my case when forced to change my password at work I will chose something like the name of a teacher or pupil at my school, 40 years ago now, known to me but not to other workers.

mms911
mms911

Concerning preventing forgotten password; it always asks me for a floppy drive, but I don't have one. What should I do? or Are their any workaround for this major problem? Thanks in Advance.

daprez
daprez

this tip is both confusing and inaccurate. it doesn't seem to work and if it did, it would cause more grief than good for my clients.

anthony.rhill
anthony.rhill

Sadly this does not work if like most computers you do not have a removable media - it seems a CD-rw is not considered as such.

LisaR
LisaR

Sounds like an awesome util but not avail on my XP Pro SP2 PC.. Does not appear as an option

benzbadr
benzbadr

for the large organization I work for, I am trying to program a service application that will generate every interval of time a password for the local administrator account based on a function of the computer name and datetime; but I am actually freezed in the netusersetinfo windows api function; if you want to help me develop this program, send me and email.

Gopal Saini
Gopal Saini

that is really wonderful.... genuine... plz post this kind of tool which we can use to secure our local system.

kiran.bhanushali
kiran.bhanushali

I cant find Prevent A Forgotten Password under Related Tasks.

gupta.boggaram
gupta.boggaram

I am a Win XP Prof SP2 user and both tips did not work for me.

marchred
marchred

Nice article - well written, lucid and founded on good "technical grounds" but IMHO a load of crap. People use familiar passwords because they can remember them - otherwise they will be forever ringing the Help Desk to get their password reset. Automatically generated nonsensical passwords will lead to one of two issues. Either users continually forgetting them and having to ask for reset OR the users will write the password down - typically on a "post-It" note attached to their monitor. So, the solution is to take into account the fact that users are human - shame really, for if they were not, systems would run a lot better. It's about educating people about passwords and in particular the implications of disclosure - e.g. if you give your bank account PIN to someone they can act on your account similarly if someone has your password they ARE you from a system perspective. Then teach them how to create a strong password using the criteria for your organisation - e.g. "Yes, it's OK to have Auntie Mary's bird's name, but also tack on the characters for your birth month on the keyboard, such as ')%' for May?" Users are not demonic they just need to understand why they should do something ... i.e. WIFM. And if they choose not to accept the advice then they have to suffer the consequences. I'm sure I'll upset the sysadmins but I think in this case education rather than regulation is the way to go.

netzach
netzach

So few of the new systems - especially laptops - have floppy drives. Or parallel ports or serial ports. "Non-legacy" I believe they call them. Tool won't run if you got no floppy!

markcnz
markcnz

use an intergrated token such as safeword that generates the access key and replaces the password.

billballew
billballew

Within a corporation this is unfortunately necessary. The idiocy comes in with managing my 56 passwords with about 14 of them requiring changing on some time basis without being able to repeat passwords. Corporate security tells us "do NOT write down your passwords so they can be easily found" Duh..What idiocy is this? Most commonly we put them into a word or excel file and store them on the desktop for easy access, or hide them in a directory with a clever name like ... duh.. "passwords" OR; more often the clerks will type them out, print and delete the file and tape it to the elbow board on the desk (it closes you see..) This is necessary for storing the password that allows you to sign onto your computer in the morning anyway. The typed list can be two pages long because you have to keep all the passwords you have used in antiquity. I have one system that never ages off old used passwords. I have been using the system for about 6 years and changing passwords every 6 weeks. I keep in an excel spreadsheet on my desktop for easy access. I call it "dont open this file" (clever huh?) The idiocy is the illogical nature of the whole thing. Difficult passwords are no problem for us because we can always find it when we need it. OR - I can get it reset by an administrator ...as long as I don't reuse an old one. An addition to the list. Thus you see, my 56 password list is in reality over TWO HUNDRED (200) now. Believe it or not, there are no repeats.

Cloudberry
Cloudberry

I worked couple of years ago in a big drug company as an IT support. The IT manager didn?t follow the company password policy. All passwords were made by his ?logic?: same word + last number from username. I was the one started to talk about security. Guess what happened. I was accused abusing my administrator position, that I have access to all data and I have a possibility use it against the company. And I was fired! And you are taking about how to get users to understand the meaning of strong passwords! (The IT manager is still there.)

tammy.nusyaputera
tammy.nusyaputera

The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.

Scottthetech
Scottthetech

This is for stand alone or peer to peer, not domains. Why would you want a secure password on your home computer? If this worked on my Windows domain, I might be impressed.

gpatterson
gpatterson

Try logging on as administrator type net user 'username' /random /domain

Understaffed
Understaffed

There should be a TR Lite for articles like this that don't apply to professional installations ;)

Gopal Saini
Gopal Saini

hey kiran, if you are not able to find this there in related task. then i think your pc is on domain. that applies to a local computer or in workgroup. You can check this out in your home pc or any of your frnd pc at home. When you will open users and computers from control panel in the left pane, you will find this option.. Plz check this out and tell it to us.

mirossmac2
mirossmac2

For me it's second in a list of four. I'm still with SP2 and updates; maybe that's it?

ElGeeko
ElGeeko

Security is the antithesis of convenience - there's no changing that. Some users WILL write down passwords - no amount of ranting on our part will change that. The more secure the password, the less convenient it is for the user - that's the way it is. ALL security comes down to physical security - if you don't realize that, get up to speed or get out of the business. Given the above, I've found I get much better compliance by telling them to write their password(s) down and keep them in a reasonably secure place, preferrably on their person. You're much better off it the sticky note is on the back of their drivers' licenses rather than the bottom of their keyboards.

tjacobs04
tjacobs04

The obvious conclusion is that such super "strong" passwords are the weakest immaginable. I'd bet nearly every company with such a policy has at least a few people writing them down and sticking them to the monitor or something only slightly less obvious. Security only works if it's usable.

marketingtutor.
marketingtutor.

of admin time and leg work. And given the tendency most users have for writing long passwords down, I would waiger that biometrics are safe,even if there are ways to copy someones thumb print. Heck, for that matter, use a multi-stage biometric authentication. Like the user has to use three different fingers in a particular order. So Joe has to scan R-Thumb, L-Pinky, and then R-Middle. Then combine that with the standard 3 strikes, and you're locked out, and its even more secure. Maybe toss voice printing on top of that. Three fingers and "Hello" and you're in. Most monkeys can remember that better than $iW.q1

dlfarr21
dlfarr21

Any IT manager who doesnt care about security doesent deserve to have the position. I would go to the top of the management chain.

V.H. Scarpacci
V.H. Scarpacci

If the IT manager wants to incorporate strong passwords but meets resistance at the upper management level, what then?

PoconoChuck
PoconoChuck

I agree with Tammy that this method isn't good enough for the most secure environments (the Defense standard leaps to mind as an example: min 10 char, alphanumeric, extended keys, at least 5 past in history, etc.). However, certainly for WinXP_HE market and small businesses, it is usable.

dellison99
dellison99

There is no benefit in having a password that is difficult to remember. If our users took this advice we'd spend our lives resetting passwords and/or they'd all tape a post-it with their password on it to their monitor. If someone lacks the imagination to think of something that isn't a dictionary word, they shouldn't be using a computer at all and probably shouldn't be in their job. If any of ours have no brains and can only think of names of dogs/children/football teams, we advise them to try this... Join two words with a number in chuck in a capital or punctuation, e.g. cat2Dog_ or choose initial letters of the last book or film you saw/read and drop in some numbers, e.g... One Flew Over the Cuckoo's Nest = Ofotcn123 The most awful password I've ever seen was something like N1a9m6e5 because although it is easy to remember and hard to guess it is also hard to type since you have to use both halves of your brain simultaneously. End of lecture.

dask
dask

When I employed a version of SCO UNIX in the early 90s, the system had the facility to provide non words of up to 11 characters that could be pronounced like "apretextion". I guess microsoft is getting there. We can expect improvements.

jamie.fisher
jamie.fisher

I can not but agree with the majority of the posts above. I issued the command 'net user username /random' and received the output as follows: h3a_4zCC Cetainly the IT Security security roles I've held previously in corporates would have abrubtly rejected such as password as secure for their enterprise users. Its possibly a nice to have for a SoHo but no where near strong enough for corporate environments. If anyone has information as to the cryptographic soundness of the algorithm or the randomness of the output, I'd be delighted to hear.

nshmakov
nshmakov

I suppose they cannot execute this command

rsimanski
rsimanski

I'm a computer consultant who specializes in home and home-office users. I encourage my clients to use the Windows logon screen, which requires a password. I also recommend that they write down the password and store it in a safe place, away from the computer. I recommend that they do this for all of their passwords. Unfortunately, some of them don't take my advice and write them down. This presents problems when we have to reinstall software or create a new e-mail account. By all means, write the darn things down. Just don't leave them where someone else can find them very easily. When it comes to registering at Web sites, I use RoboForm, which generates strong passwords. I copy the password to the clipboard, log out, then log in again and paste in the new password. RoboForm will capture the login information and offer to log me in the next time that I visit the site. From time to time, I print out the RoboForm list and store it in my file cabinet.

ike brasil
ike brasil

... to remember a strong password randomly generated???

Realvdude
Realvdude

I've been doing things like this to thwart the intelligent guessing of passwords as well as dictionary attacks, but have recently added case changes and extended characters to my passwords. While I'm a advocate of changing passwords frequently, I don't do this as often as I should. On the upside, most of the hosted services I use will lockout my account for anywhere from 10 to 72 hours, and allow me to call and verify myself to reset the lock. Since I don't use the same password with multiple services, I have un-intentionally tested this.

Ian Gregory
Ian Gregory

Mine are generated by a smaal programme called PassGen - PasswordGenerator v2.1 - this allows the generation of random passwords of up to 20 characters, in any of 4 different types: 1 upper case, 2 lower case, 3 numerals and 4 special characters. I tend to use these on documents where I want to put them in the public domain, but wish to prevent access to the main part of the document. PassGen may be found on the download section of ZDNet, and is a freeware product. However, for normal day-to-day work, I tend not to use them but use a shorter more memorable password, though that does not reflect such things as birth dates. Even sensitive files like my personal bank files are not passworded, instead I keep them safe on a flash drive, only plugging in this drive when that data is needed.

gpatterson
gpatterson

It does work if you are an admin and use the /domain switch.

t_c
t_c

Well I agree that better passwords than 'welcome' or 'letmein' are required, I've been in a corporation for over 12 years and not once has there been an issue, however we've gone to RSA Fobs which in some ways, is LESS secure as some people even tape their fobs to monitors so they don't forget them! This along with V-Go guarantees access to 'everything' once they are signed in. Funny thing, is it just keeps the honest people honest, we've sent our drives out for recovery many times and the truth of it, is they don't even need our passwords to get the data!

PoconoChuck
PoconoChuck

If the upper management is against strong passwords, then do yourself a favor and provide a paper trail detailing such. If/when there's a loss directly traceable to easily hacked passwords, you'll be in a better position to defend yourself. The big dogs may still axe you, but that's a forgone conclusion without a paper trail.

marketingtutor.
marketingtutor.

Yes, must agree, this will work for home/SOHO users, but DoD would reject it outright. Those MILSPEC passwords are insane.

wingedadmin
wingedadmin

SCO didn't originally ship with a gui. or long file name support. what is the sco market share? and lastly, if the one computer can generate a random "word," another computer can guess it. now if I could only get windows to generate random words, sue every company in america, then drop off the face of the planet, it would be a great os!

Ian Gregory
Ian Gregory

Entitled "I do use strong passwords", that should help.

UplinkSpider
UplinkSpider

So much for the tip but what about Domain Users? Not applicable huh?

gregtheodosis
gregtheodosis

I've been useing this for about 2 years now and can't get along with out it. I was useing password safe from schnier/sourceforg. RoBo is much easyer to use and it's encrypted quite well. You have a selection{DES/AES/3DES/RC6/BLOWFISH} Oh and they're both free

Ian Gregory
Ian Gregory

Simple, They are also kept on a Word doc file - on the flash drive, this is passworded, though not a very strong one, since I have to remember it, and is stored aloong with a set of disposable e-mail addresses on the removeable flash drive.

marketingtutor.
marketingtutor.

I think passwords, and strong ones at that (10+ char in length, mixed case alphanumeric, extended characters, punctuation, etc) are a very good start, but there is much more to a comprehensive security plan. It is also VERY important to take into account WHERE a given login is allowed to occur from, and during WHAT hours. Biometrics are also very useful for those people that tend to sticky note anything they need to remember. RFID, nope, wouldn't touch it for access systems. Its too easy to fake/spoof.

AbbyD
AbbyD

See entry below

SingerGuy
SingerGuy

As a systems admin I have a dozen or more accounts that run on my domain for admin tasks, such as automated process, backup account, ldap lookups, etc. If I have to fire a member of our admin team and regenerate passwords for one or more of these process user accounts, this method saves me from having to constantly think them up. Or, I could just keep using my random password generator program like I've done for years.

gpatterson
gpatterson

Isn't more correct to say 'all' users...

RFink
RFink

The end user has no clue what his password is. As an admin I don't want to know any user's password. Some users think we exist to mess up their lives. Why give them ammo?

fons
fons

I've been using (and encouraging people on our network to do the same) a system like that for many years. I Live at 45a Eureka Street Kalgoorlie Western Australia becomes 1L@45aeskwa. The best part is that you can create an endless list of meaningful mnemonics that will create good passwords that are easy to remember and, I hope, hard to crack.

MiddleAgedNewbie
MiddleAgedNewbie

use several chunks of 4-6 characters, and passwords are not that hard to remember. I usually use about 14-18 characters total, bits of acronyms and number strings, and just log in and out several times to get it memorized. As I understand it, length of a password is the best safeguard, as long as the content is not too obvious.

marketingtutor.
marketingtutor.

In my experience, there are really only two kinds of passwords, weak and strong ones. Most of the typical 9 to 5 employees will fight against real good strong passwords. They want something they can remember, and if you give them a good cryptic password with mixed case, punctuation, and numbers, they are more than likely going to head on over to the stack of post-it notes and scribble it to stick somewhere. I guess I could say there is a middle ground for good strong passwords, but that adhere to the concept that they are pronouncable. Like KaK.9er.seD (pronounced Cack-point-niner-point-said) There is a point where users must be put through some lashings to require that they learn password memorization skills. I run my own business and have a myriad of servers to login to allofthe time. So there is a point where I use my handy PDA with SplashID to keep an encrypted DB of all my important data including passwords and financial data. But for the servers that I access regularly, I can remember all the passes no matter what they are. Like one of my client's server passwords is 7bW*q.62YxO Now that may seem bad, but you just need to spend some time, maybe 15 minutes, learning the password, and its there for good. I link that password sequence in my mind to the picture of the server,the persons name, and their IM pic, and can only remember it if I am typing it out on a keyboard. Don't ask me how that works :-)

lmayeda
lmayeda

To help users come up with 'reasonably strong" passwords I've suggested that various "recipes" in addition to the 'sentence" one suggested above. Use of their name (if longer than 6 char) and substituting numbers/special characters for letters: ie "William" would become "Wi11i@m" ... using '1" in lieu or "L". For their pet dog "Buster", I'd add K9 (canine) and get "K9buster". Use of phrase: "Get Real" becomes "G3TR3AL". Phrase: "This computer belongs to me" becomes: "Tcb2me". Any other good easy to remember password recipes?

jo.case
jo.case

If you manage users that don't know what a strong password is and a CEO that doesn't want the random easy to forget password, then teach your user to create a password that is a sentence. The first letter of each word in the sentence will be their password. Numbers should also be used with punctuation. The resulting password should be checked to make sure it didn't inadvertently produce a dictionary word. People can remember a sentence easier than random characters. OK tell me what's wrong with that!

rlambertsc
rlambertsc

This is real life not, Mission Impossible. - R

Editor's Picks