Page Menu
Password Information
General info on passwords: they're a lot
easier to crack than you may think. Here's a few
ways to make your passwords less crack-able.
First, remember that password-cracking programs
scan through literally millions of word
combinations per second, so plain-English
passwords such as "pencil" or "yomama"
won't hold up at all. Avoid ordinary words in
favor of gobbledygook. Next, never use your
mother's maiden name or your cat's name as a
password. Anyone who knows you, or who can access
basic information on you, can make some shrewd
guesses as to what your password might be, and
using your middle name as a password won't do the
job. You should use combinations of upper- and
lower-case letters mixed in with numbers,
nonalphanumerical symbols such as & and ¢,
and even ASCII characters (available by holding
down the Alt key and entering digit combinations
on your number pad). Most cracker programs don't
look for special characters unless the hacker
specifies which ones to look for. Passwords
should be at least seven characters long, and
preferably 10 or more. You should use at least
one symbol character in the second through sixth
positions. Change your passwords frequently, and
don't keep them on sticky notes attached to your
monitor or stuck inside your desk drawer. Don't
recycle old passwords.
Here's a tip so stupefyingly simple that I bet
most of you never thought of it. I didn't. Keep a
simple text file in Notepad or some such with all
of your vital PC information, including your
various login names, passwords, IP settings,
phone numbers for your ISP's tech support line,
credit card numbers with the expiration date, and
the 800 numbers to report consumer fraud in case
any odd purchases show up on your monthly
statements. Just be aware that even if you hide
or password-protect this file, your info is now
on your computer, and can be found by sneaky
folks if they have access. Don't forget it's
there when you get rid of your computer, either;
even a file delete or disk reformat won't make it
disappear.
Of course, the easiest Windows password is the
one that keeps the screen saver from disengaging.
Handy for quick and dirty security, i.e. while
you go to the bathroom, but in no way can this be
considered "secure." A simple restart
gets around this one.
It's easy to change or disable your Windows
password -- maybe too easy if you're
security-conscious. Bypass it during log-on by
clicking Cancel. Disable it by opening the
Passwords applet in Control Panel and typing your
old password in the Old Password field. Now tab
to the New Password field, press Enter, tab to
the Confirm Password field, and again press
Enter. This should eliminate your password. If
not, run POLEDIT (see above), select File/Open,
click on Open Registry, select LocalComputer\Network\Password,
and clear the "Minimum Windows password
length" option. Another way is to use TweakUI,
a freebie discussed previously and available from
most big shareware vendors, to skip the password
procedure.
Of course, you may like Windows's password
feature. If you want to make Windows remember an
individual's password for DUN or netsharing, go
through the Passwords applet in Control Panel,
click on the User Profiles tab, and select
"Users can customize their preferences and
desktop settings." Click OK. The next time
you boot up, Windows will ask for a logon name
and password before letting you in. Don't need a
password but want to log in and out? Just leave
the Password box blank.
If you installed Windows with a password, and
you forgot your password, Windows can be very
stubborn about not allowing you access. Hit
Escape at the password box, launch the MS-DOS
prompt, type DIR
*.PWL at the C:\WINDOWS prompt, delete the
.PWL file with your name in front of it, restart
your computer, and enter a new password when
prompted. To delete your password before trouble
begins, go into Control Panel/Passwords, click on
the Change Windows Password button, enter your
current password in the Old password box and
click on OK. You're better off not using a
password unless you really see a need; then
tattoo it on your rump or something. There's a
freeware program called Revelation (www.snadboy.com/)
that will sneak a peek at a hidden password and
tell you what it is. Network users: You can make
Windows remember your password so you don't have
to type it in every time you log on (by checking
the "Save this password in your password
list" box), but what if you later decide
you'd rather restrict access? To delete a stored
password, you need to load the Password List
Editor from your Windows CD. Get it by inserting
the disk, going through Start/Settings/Control
Panel, double-clicking Add/Remove Programs,
clicking the Have Disk box, and in the list box
typing D:\ADMIN\APPTOOLS\PWLEDIT
(replace the D: with the letter of your CD drive
if different). Close the dialog box. Then find
the newly installed utility in System Tools, open
it, select the network resource whose stored
password you want to delete (or Select All if you
want to delete 'em all), and click Remove. The
next time you log on, you'll be asked for your
password. Also, Microsoft's TweakUI
utility makes it easy to deal with persnickety
passwords.
By the way, it's wise to backup any .PWL files
you delete before consigning them to the eternal
flames. You may want those old passwords for Web
forms, saved cookies, etc.
The Windows password utility is essentially
candy -- far too weak to keep anyone but the most
casual amateur out of your machine. For a little
more security, enable Windows' CMOS password
feature. Start your system up, and access the
CMOS setup program by pressing either the DEL or
F1 key while the machine is booting up. Scan the
menu choices for something like
"Security" or "User
Password," go into this menu choice, and
enter your password choice. Warning: if you
forget this password, you'll need to reset the
system directly through the motherboard, and this
isn't funny for the average user.
Many of us go through altogether too much
foofaraw trying to remember all of our passwords
for our various apps. Some folks use one single
password for all their apps -- easy to remember,
but disastrous if discovered. Others use a
plethora of different passwords -- better
security but hard to remember and easy to lose.
The easy way to deal with this is to use a password
manager utility and let it do the
remembering. PassKeeper from www.passkeeper.com
is a good example of a basic freeware utility
that keeps up with the most arcane passwords,
encrypts them to keep prying eyes from snagging
your access codes, and itself demands a password
for entry (OK, you can remember one). More
sophisticated utilities include the freebie Whisper
32 from www.ivory.org/whisper.html, or
the $25 (and quite large) Info Keep from www.infokeep.net.
Users of Internet Explorer 5 have a feature
called AutoComplete which lets Windows remember
passwords for given sites. Not that this is
secure, since Milton at the next desk or the
rotten kid next door can use this feature to
access your favorite Web sites while you're away
from your computer. Better to use a password
manager.
WinME users, you can set your system to keep
unwanted users out while you're away by going
into Control Panel, Power Options, Advanced, and
checking the box marked "Prompt for password
when computer goes off Standby and into
Hibernate." Set the Power Scheme option to
Home/Office Desk. Now when your PC goes to sleep,
it will take a password entry to wake it up
again.
Many people try to use the Save Password
option under Dial-Up Networking, only to find the
box grayed out. Go to support.microsoft.com/support/kb/articles/Q137/3/61.asp
for info on this issue. Also, for those of you
whose Save Password box is available, but doesn't
work (that is, the password isn't saved), try: support.microsoft.com/support/kb/articles/Q148/9/25.asp
.
Find out more about what's available in the
password-cracking market by visiting www.crak.com/
and www.passware.com/, two of the major
providers of app-cracking software. The Password
Cracker service at www.pwcrack.com/ can
help youcrack everything from ZIP codes to BIOS
passwords. (Why am I posting this info? Well, the
bad guys and the evil teens out there already
know about these sites. Why shouldn't you?)
Windows Media Player XP and 7.1 owners are
broadcasting their GUID (globally unique
identifier) number to sites when they request
streaming media. Although some say this isn't
worth worrying about, others disagree. Disable
this by going into Tools, Options, and unchecking
the "Allow Internet sites to uniquely
identify your Player" box.
Some of you find yourself having to deal with
that annoying "Password for Microsoft
Networking" screen that comes up before you
can get to your desktop. The easiest way is to
click "Cancel" and move on, but that
has the potential for problems, so don't do it.
You can oftentimes get past it just by clicking
OK (without the password), but not always. Here
are the two easiest ways to disable this login.
First, if you install the Microsoft Family Logon,
the Windows Login dialog should go away. Follow
these steps to install it. Right-click Network
Neighborhood and choose Properties (or open the
"Network" Control Panel). Then click
the Add button. Double-click the
"Client" entry. Select
"Microsoft" on the left side.
Double-click "Microsoft Family Logon"
on the right side and click OK. You may need to
insert your Windows 98 CD at this point, or
Windows may find the files it needs automatically
(depending on how your computer is set up). Now
restart your computer, and that's a done deal.
The second way to handle it is to download and
use TweakUI. Once Tweak UI is installed, access
it from the Control Panel. Select the
"Logon" tab. Put a check in the box
beside "Log on automatically at system
startup." Then in the spaces below, enter
the information you normally enter into the
Windows Logon box. Be sure to get this right, and
don't put anything new in these boxes. Note: some
broadband accounts use the Microsoft Networking
protocol, which means you can't disable it. In
this case, just click Cancel and go on.
User profiles
"User profiles" are a much-hated
feature of Windows that most home users disable
as quickly as possible. The usefulness of user
profiles is that Windows can be customized for
different users, including different wallpapers
and so forth; the downside is that this feature
is rarely used and can become obtrusive and
annoying. Who wants to sign in when they don't
have to? Disable your user profile by restarting
your PC. When you see the logon system box, click
Cancel. Now open Control Panel, click Passwords,
and select the "User Profiles" tab.
Select "All Users Of This PC Use The Same
Preferences And Desktop," and click OK.
Restart Windows, and user profiles are officially
disabled. Now, get rid of the logon system box.
Go back into Control Panel and into the Passwords
applet, and click on "Change
Passwords." Click the "Change Windows
Passwords." On the "Old Password"
line, enter your password. Press Tab to highlight
the "New Password" line, then hit Enter
(you leave the new password blank). You should
see a message telling you that your password has
been successfully changed. Now you'll want to
delete your user profile information. To do this,
you'll need to don your hip waders and go for a
hike into the Registry, so back that sucker up (SYSTEM.DAT
and USER.DAT, for the forgetful) first. Now open
Regedit (go through Start/Run), and drill down to
HKEY_LOCAL_MACHINE
\ SOFTWARE \ Microsoft \ Windows \ CurrentVersion
\ ProfileList \ (username) -- the username
being whoever's profile you're scrubbing. To
remove an individual profile, go to the left pane
and right-click the (username) key that
represents the profile you want to remove. Select
"Delete," then click "Yes" to
confirm. To remove every profile at once,
right-click the "ProfileList" key,
select "Delete," then click
"Yes." Close Regedit. That takes care
of the job halfway. The other half of your user
profiles resides in your Windows folder. First,
make sure all "hidden" files are
visible: In Windows ME and XP, you go into
Explorer and click either the "Show the
contents of this folder" or "View the
entire contents of this folder." XP may try
to make things difficult for you; choose Tools,
Folder Options and make sure the "Show
common tasks in folders" box is selected in
the General tab. You can turn all the warnings
off in XP by going into Tools, Folder Options and
clicking the View tab; once there, go under
Advanced Settings and check the box marked
"Display the contents of system
folders." In earlier versions of Windows, go
into either Explorer or My Computer, choose View,
Options, and click on the View tab. Click the
"Show All Files" or "Show hidden
files and folders" button under Advanced
Settings (you may need to double-click the
"Hidden files" or "Hidden files
and folders" icon. Uncheck the box that
hides MS-DOS extensions. Now, in Explorer,
navigate your way to C:\WINDOWS\PROFILES
(if Windows lives on a different drive than C:,
use that drive letter instead). To delete an
individual profile, delete the corresponding C:\WINDOWS\PROFILES\(username)
folder. To remove all user profiles, delete the
entire C:\WINDOWS\PROFILES
folder. Now you're clean.
Or maybe you like setting up user profiles for
you and the family, or you and the rest of your
project team. Go into Control Panel, double-click
Users, then use the Enable Multi-user Settings
wizard. Then, whenever you start Windows 98,
you'll get a Welcome To Windows dialog box. To
log on, type your username and password, then
click OK. This allows you to customize settings
such as wallpaper, desktop shortcuts, color
schemes and so on for multiple users on the same
system.
A Millennium user asked me how to get rid of
the "enter user name and password" box
that currently pops up when she logged in.
Somehow she lost her Change Windows Password
button in the Control Panel. I couldn't help her,
but the fine fellows at www.5StarSupport.com told her to go into Control Panel
under Users and Add and Remove users and change
the settings for the users there. It worked for
her, and it should work for you.
Lots of info on getting rid of the logon
screen on all flavors of Windows can be found at www.annoyances.org/exec/show/article04-103
-- some are easier than the methods I've included
in this page.
Want to do away with user profiles, but retain
some of a profile's settings? You can retrieve
them from the user profile folder, assuming you
haven't deleted it. For example, if you want to
retain a user profile's desktop settings, delete
the contents of the default desktop folder
(probably C:\WINDOWS\DESKTOP).
Next, copy the contents of the user profile's
Desktop folder (C:\WINDOWS\PROFILES\DESKTOP)
to the default desktop folder. Similarly, to keep
a profile's Start Menu configuration, copy the
contents of the C:\WINDOWS\PROFILES\
\START MENU folder to C:\WINDOWS\START
MENU.
When you set up Windows 9x, you
"registered" it to yourself (or
QuickDraw McGraw, or whoever's name you typed
in). Now you want to remove your name from the
computer (maybe you're selling it, or you just
don't like having your name come up). You have to
edit the Registry to do this, but the good news
is that it isn't a difficult edit. Back up your
Registry first, then go through Start/Run and
type REGEDIT in the box. The Registry Editor
comes up. Navigate through the left pane until
you get to HKEY_LOCAL_MACHINE
\ SOFTWARE \ Microsoft \ Windows \ CurrentVersion.
In the right pane, select Registered Owner and
press Enter. You can type in a new name or just
press Delete to leave the name blank. Press
Enter, and do the same thing under Registered
Organizarion. Exit the Registry Editor, and
reboot Windows. Warning: leaving the name blank
on Win 95 OSR2 could trigger the system to put
you through the full Setup Wizard process. Oddly
enough, it won't demand that you enter a name,
but it demands a Product Identification Number
from the Windows Certificate of Authority that
came with the original package. If you forget to
include this with the PC when you sell it to
someone else, that guy is going to be stuck.
XP users have a plethora of options and
potential problems that the rest of us don't have
to worry with. I can lead you through some of the
underbrush, though you'd better bring a machete
and a native guide....
- The Start menu actually comes from two
separate sources: one that's user-specific and
one that's shared. The XP upgrade puts
everything into the Shared area, so if you
delete something from your account's Start
menu, everyone else loses it, too. You can
enable individualized Start menus by going
through Start, My Computer, and clicking the
Folders toolbar button. Navigate to C:\DOCUMENTS
AND SETTINGS\ALL USERS\START MENU and
right-click that folder. Choose Copy. Now
right-click on each user's folder in C:\DOCUMENTS
AND SETTINGS\ and select Paste. You may
be asked to confirm replacing items in the
Start menu folder; answer "Yes to
all." Finally, delete C:\DOCUMENTS AND
SETTINGS\ALL USERS\START MENU . Now each user
has his or her own personal Start menu and can
freely add or delete items without affecting
others. Once this is done, installing new
programs may add new items to the Shared area.
You can move these to your personal Start Menu
by right-dragging them to the desktop and
choosing "Move Here." Right-drag
them back to the Start button and again choose
"Move Here."
- Simple File Sharing, the default choice, is
very limited and, among other things, does not
allow a folder to be configured so that you
alone can access it remotely, or set per-user
permissions a la Windows 2000. Disable SFS by
opening Windows Explorer, opening Tools,
Folder Options, and clicking on the View tab.
Uncheck the box for "Use simple file
sharing (recommended)" and click OK. Now
when you right-click a folder and choose
"Sharing and security..." you'll get
the detailed controls found in Win 2K. Note
that XP Home users can't do this -- they're
stuck with Simple File Sharing. Also, SFS
allows a plethora of NetBIOS vulnerabilities
and leaks, so be warned.
- Fast User Switching lets you switch between
users without logging off. Enable it by going
through the User Accounts applet in Control
Panel, click on "Change the way users log
on or off," and check the "Use Fast
User Switching" box. You can also access
the user list by pressing and holding the
Windows key and pressing L. Fast User
Switching doesn't work if your computer is
part of a network domain, and it can be a
tremendous system resource hog when not kept
in check. A good Microsoft KB article,
"Architecture of Fast User
Switching," is available at support.microsoft.com/default.aspx?scid=KB;EN-US;Q294737.
If you find that FUS disconnects you from your
dial-up connection, you'll need to use
Internet Connection Sharing to stay online. Go
through Control Panel's Network Connections
applet, select the connection you want to
share, anc click on "Change settings of
this connection" in the left-hand pane.
On the Advanced tab, check the boxes
"Allow other network users to connect
through this computer's Internet
connection" and "Establish a dial-up
connection whenever a computer on my network
attempts to access the Internet." Now the
computer will stay open through a Fast User
Switch. Broadband users, this won't affect
you.
- Protect your password: XP allows anyone to
view the password hint you inputted when you
first created your password. You can choose to
bypass the hint and use a password reset disk
instead. Create one by going through User
Accounts, click on your account, choose
"Prevent a forgotten password" in
the task pane, and follow the prompts. Now if
you forget your password, XP will ask you for
the reset floppy disk. Just don't lose the
disk!
- Sooner or later you'll want to access the
Administrator account. It isn't displayed on
the Welcome screen, but you can bring it up by
pressing Ctrl+Alt+Del, releasing just the Del
key, and pressing Del again. This brings up a
Win 2K-style login screen, which allows you
Administrator access.
- Some people think the XP Welcome screen
gives too many ways for unscrupulous users to
get into user accounts. You can use the more
secure Win 2K logon box by going through User
Accounts, clicking on "Change the way
users log on or off," and uncheck the
"Use the Welcome screen" box. This
also disables Fast User Switching.
- Want more secure logons? Force users to go
through the Ctrl+Alt+Del logon process (to
keep Trojan horses from taking over your
system) and eliminate the automatic display of
the last user's name in the logon box. This
involves a Registry hack, so be careful.
Launch Regedit and navigate to the HKEY_LOCAL_MACHINE
\ SOFTWARE \ Microsoft \ Windows \
CurrentVersion \ Policies \ System key.
Find or create a DWORD value named Don'tDisplayLastUserName
and set its data to 1. In the HKEY_LOCAL_MACHINE
\ SOFTWARE \ Microsoft \ WindowsNT \
CurrentVersion \ Winlogon key, find or
create a DWORD value named DisableCAD
and set its data to 0 (zero). To do this, you
have to be using the Windows 2000-style logon
discussed above.
- If you use NTFS, you can designate who owns
a hard drive. This is useful for systems with
multiple user accounts. In the Administrators
group, click Start, Control Panel,
double-click Administrative Tools, and then
Computer Management. In the console tree,
click Disk Management. Right-click the drive
for which you want to set up ownership, and
click Properties, choose the Security tab, and
click Advanced. Click on the Owner tab and
click on the new owner. Click OK.
- Want a subfolder in the Start menu that all
users can see? Log on as an Administrator,
right-click on the Start button, select
"Open All Users," and double-click
the folder to which you want to add a
subfolder (usually you'll choose Programs).
Right-click on any empty area within the box
and select New, then choose Folder. Type the
name of the new folder and press Enter.
- You can make a user "invisible;"
this can be very useful in certain network
settings, and it's also an advantage if you
want a plain-vanilla version of XP. Scot
Finnie recommends creating a sort of
"default" user that is exactly as
shipped with the operating system; no
customizations or changes. You can use this as
a snapshot to check on how things were setup
initially, track your own changes, and serves
as a very basic troubleshooting aid. You
should also create a user that represents your
primary login, and consider setting up the
"Guest" account on a network. That
will leave you with two or three users on
every computer just to get started, and it
means you'll have more choices on the Welcome
screen than is necessary when only one person
uses my computers. Why not make your user
accounts invisible? It's a simple Registry
hack that can be completed like so:
First, open Regedit. Now, on the left pane of
the Registry Editor, select HKEY_LOCAL_MACHINE
(which is abbreviated to HKLM below). Then
navigate to this location: HKLM
\ SOFTWARE \ Microsoft \ WindowsNT \
CurrentVersion \ Winlogon \ SpecialAccounts \
UserList. With UserList open in the
left pane, right-click any blank area on the
right pane and choose New,
DWORD Value. Give the new icon the
exact name as the user account you want to
hide. Then press Enter. Repeat the steps for
each additional user you want to hide. That's
it. Test it by choosing You're done. You can
test it by choosing Start, Log Off, Switch
User (if available). If you don't see Switch
User, then use Log Off, but this will shut
down all your apps and documents. To reverse
it, just delete the icon you added. At least
one user had trouble accessing Windows to
reverse the change. If you run into this
problem, restart your PC. You should encounter
the Welcome screen with no names on it. At
that point, press Ctrl-Alt-Delete. You'll
probably see your main username there. Enter a
password if you have one (or nothing in the
Password field if you don't) and press OK.
That should do the trick. If you don't see
your username or it doesn't work, after you
press Ctrl-Alt-Delete, type
"Administrator" in your username
field. No password (unless you've used
Administrator before and used a password).
Press OK. This will get you in. Once you are
in, follow the steps from the earlier tip
again. In the System Registry Editor, you can
just delete the icon labeled with the username
you hid. That should render everything visible
again. Great tip, Scot!
There's a documented problem for XP users:
"When you upgrade or install Microsoft
Windows XP, passwords may be assigned to user
accounts that previously had no password or you
did not assign passwords to any user accounts
during the installation process. As a result, you
cannot log on to the computer." What
happened is Windows Setup didn't complete
properly. During the Windows installation, it
assigns temporary passwords to your user accounts
and places those passwords in a SETUPACT.LOG file
located in the Windows directory. Microsoft has a
site available at support.microsoft.com/default.aspx?scid=kb;EN-US;Q318026
that tells you how to boot from the Windows CD or
boot disk and edit the file so you can retrieve
those passwords. It's possible that if the setup
gave you the opportunity to set an Administrator
password, you may be able to login as
Administrator by pressing Ctrl+Alt+Del twice at
the login screen and logging in as Administrator.
If that works, once in, you can click the Start
button, right-click the My Computer icon, and
choose "Manage." You'll see a folder
that says "Local Users and Groups," and
if you expand that, you should see the various
"users." Go into these accounts and
change the password. If this doesn't work, a
reinstall may be in order.
|
