Local Account Passwords

Issue

Weak passwords are one of the main causes of security breaches. Examples of weak passwords are names of children or pets, or common words found in the dictionary, such as "happy."

It is outside the scope of this tool to check for all possible weak passwords on accounts. Rather, this tool only checks for a few commonly used weak passwords as follows:

• Password is blank.
• Password is the same as the user account name.
• Password is the same as the machine name.
• Password uses the word "password."
• Password uses the word "admin" or "administrator."

This check also notifies you of any accounts that have been disabled, or are currently locked out.

This check is not performed on domain controllers.

For Microsoft® Windows® XP machines that use simple file sharing (includes Windows XP Home Edition and Windows XP Professional machines not joined to a domain), MBSA will not flag local accounts with blank passwords. To help protect users who do not password-protect their accounts, Windows XP Professional accounts without passwords can only be used to log on at the physical computer console. By default, accounts with blank passwords can no longer be used to log on to the computer remotely over the network, or for any other logon activity except at the main physical console logon screen.

Solution

Adopt a strong password policy. This is one of the most effective ways to ensure system security. For guidance on implementing strong passwords, refer to the articles in the Additional Resources section.

Instructions

To change password policy settings in Windows Server 2003, Windows XP Professional, or Windows 2000

1. Open the Control Panel.
2. Double-click Administrative Tools, and then double click Local Security Policy.
3. Double-click the Account Policies folder, and then select the Password Policy folder.
4. Double-click the policy that you want to change and then specify the new policy setting.

To change password policy settings in Windows XP Home Edition

1. Open the Control Panel.
2. Select User Accounts.
3. Click the user account you would like to change and select the Password function.

To change password policy settings in Windows NT®

1. Click Start, point to Programs, and then click Administrative Tools.
2. Click User Manager for Domains.
3. On the User menu, click Select Domain, and then type the local computer name.
4. On the Policies menu, click Account.
5. In Account Policy, change the password restrictions.

Additional Resources

What's New in Security for Windows XP Professional and Windows XP Home Edition

Creating Strong Passwords

How to Enable Strong Password Functionality in Windows NT

©2002-2004 Microsoft Corporation. All rights reserved.