While good internal security starts with user accounts, more important still is the strength of the passwords assigned to those accounts. Far too many users take the easy way out on this one, assigning very common or “guessable” words as their password. In the same way that it’s a bad idea to set your PIN number on your bankcard to 1111 or the combination of your month/year of birth, the same holds true for the password assigned to user accounts. Quite simply, too many utilities exist that can easily guess passwords based on common words, using what it known as a dictionary attack. If you’re serious about security, then be serious about your password – your last name, dog’s name, or “password” just won’t cut it.
Good password security exhibits two main features. The first is that the password should be hard to guess, including a combination of upper- and lower-case characters, numbers, and special characters (such as %@$^~ as examples). The second critical consideration with passwords is how often they are changed. As a general rule, get users on your network in the habit of changing their passwords at least once every 30-60 days, and be sure to assign a password to all user accounts. On a Windows XP or Windows 2000 Professional system, password changes can be made mandatory by configuring Password Policy settings in the Local Security Policy Administrative Tool.