Microsoft optimize

Increase Vista security by setting expiring passwords

Changing your password on a regular basis is a good way to enhance the security of your Vista system. Here's how to configure your Vista machine to limit the life of a password, forcing changes at set intervals of your choice.

In the January 29 edition of the Windows Vista Report, Lock Down Your Windows Vista Logon Tight And Then Even Tighter, I showed you two techniques that you can use to lock down a Vista logon. As you may remember in the first technique, you have to press [Ctrl][Alt][Delete] before you can see the regular Welcome screen, click your icon and type in your password. In the second technique, you have to press [Ctrl][Alt][Delete] and then have to type in both your username and password.

While both of these techniques offer enhanced security over Vista's default logon procedure, neither of them is very good if your password ends up being compromised. However, you can employ another security technique if you really want to keep your system safe: change your password often. While this may sound like a no-brainer, you do have to remember to change your password on a regular basis. Fortunately, you can configure Vista to force you to change your password as often as you wish. In this edition of the Windows Vista Report, I'll show you how to do so, by making changes to the default settings in the Local Users and Groups tool and in the Local Security Policy editor.

Version caveats

This technique will only work in the Ultimate and Business editions of Vista. Home and Home Premium users will have to rely on a manual change password operation.

Local User and Groups

By default, Vista allows your original password never to expire. As such, the first thing that you have to do is configure your password such that it expires; you'll make that change in the Local Users and Groups tool. To access this tool, click the Start button, right-click on Computer and select Manage from the context menu (Figure A). You'll then encounter a UAC dialog box and will need to respond accordingly.

Figure A

Figure A

To get to the Local Users and Groups tool, begin by selecting Manage from the Computer context menu.
At this point, you will see the Computer Management console and will need to select Local Users And Groups in the tree so that the branch opens (Figure B).

Figure B

Figure B

When the Computer Management console appears, open the Local Users And Groups branch.
Now, select the Users branch and double-click your username to access your user account Properties dialog box (Figure C).

Figure C

Figure C

You'll need to clear the Password Never Expires check box to allow your password to expire.

The default setting for Password Never Expires is checked. Clear the Password Never Expires check box by selecting it, then click OK and close the Computer Management console.

The local security policy

The second thing you'll need to do is alter the local security policy. To make these types of alterations, you'll need to launch and work from the Security Settings Extension snap-in. To do so, click the Start button, type local security policy in the Start Search box (Figure D), and press [Enter]. When you do, you'll encounter a UAC dialog box and will need to respond accordingly.

Figure D

Figure D

To access the Security Settings Extension snap-in, enter local security policy in the Start Search box.
In a moment, you'll see the Security Settings Extension snap-in in a console window titled Local Security Policy (Figure E).

Figure E

Figure E

The Security Settings Extension snap-in appears in the Local Security Policy window.
Now, select Account Policies in the tree pane to open the branches. Select the Password Policy branch and double-click Maximum Password Age Policy. When you see the Maximum Password Age Properties dialog box (Figure F), use the spin buttons to select a length of time that you wish to use a password before a prompt appears to change it. To complete the operation, click OK, close the Local Security Policy console, and restart your system.

Figure F

Figure F

Type a value in the Password Will Expire In box or use the spin buttons to select a value for the length of time.
Once the specified time has lapsed, go to log on to your system as you normally would and type your current password. When you do, you'll see an error message on your logon screen, similar to the one shown in Figure G, which tells you that your password has expired and you must change it.

Figure G

Figure G

Vista will inform you that you must change your password once it has expired.
When you click OK, you'll see a screen similar to the one shown in Figure H, which prompts you to enter and confirm a new password and create a password reset disk. (For more information on creating a password reset disk, see the article Create A Vista Password Reset Disk Using A USB Flash Drive.)

Figure H

Figure H

When you change your password on a regular basis, it is a good idea to create a new a password reset disk each time.

Once you change your password, you'll see a confirmation message. When you click OK, Vista will log you on.

Changing your password

Changing your password on a regular basis is a good way to enhance the security of your Vista system and using the maximum password age policy to enforce the change is a good solution. How often do you or your users change passwords? Do you have an enforcement policy in place? Please drop by the discussion area and let us know.

Get Vista tips in your mailbox!

Delivered each Friday, TechRepublic's Windows Vista Report newsletter features tips, news, and scuttlebutt on Vista development, as well as a look at new features in the latest version of the Windows OS. Automatically sign up today!

About

Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.

2 comments
Al_nyc
Al_nyc

My experience is that if you force people to change their password regularly they will either write their passwords down somewhere within arms length of their computer or pick a password that is eaisly guessed. Both end up doing the opposite of what you expect.

erik.langeland
erik.langeland

The problem with enforcing password changes is people wind up writing down their password or using a system that is easy to guess. This utterly defeats the purpose of forcing regular password changes. The best approach in my opinion is: 1. Have a good, strong password, stronger than a dictionary word plus a number. For example, make a password from the initial letters of the words in a favourite phrase. 2. Keep it secret: don't write it down, say it out loud, or let anyone peer over your shoulder as you type it in. 3. If you think it has been compromised, then change your password.