Passwords

A good password policy helps users protect their passwords from other individuals. This helps to reduce the probability of someone logging on with another user’s password and gaining unauthorized access to data.

The following guidelines should help you create a basic security policy:

• Tell users not to write down their passwords.
• Tell users not to use obvious passwords, such as their names, their spouses’ names, their children’s names, and so on.
• Do not distribute user accounts and passwords in the same communication. For example, if you are sending a new user’s account name and password in writing, send the user name and the password at different times.

You can use the following Windows NT and NetWare security features to enhance Windows 98 security:

Enforce a reasonable minimum password length.

This policy increases the number of permutations needed to guess someone’s password randomly or programmatically. Additionally, you can enforce an alphanumeric password combination to achieve the same security.

Enforce maximum and minimum password age.

This policy forces the user to change the password, preventing someone else from discovering it as a result of the password being in use for a long time. A minimum password age prevents a user from immediately reverting to a previous password after a change.

Enforce password uniqueness and maintain password history.

This policy prevents users from toggling between their favorite passwords. You can specify the number of unique passwords that a user must have before that user can use a previously used password.

For more information about using Windows NT and NetWare security features, see the documentation for those products, or see the Microsoft Windows NT Server Networking Guide in the Windows NT Server Resource Kit (for Windows NT Server version 4.0) (ISBN 1-57231-343-9).

Using the Windows 98 Logon Password

With Windows 98, users can log on to all networks and Windows 98 at the same time. The first time a user starts Windows 98, logon dialog boxes appear for Windows 98 and for each network client on that computer. This is useful for you as a network administrator, because you can use existing user accounts on a network security provider to validate access to the network for users running Windows 98. For more information, see Chapter 18, "Logon, Browsing, and Resource Sharing."

If a user’s password for Windows 98 or for another network is the same as the password for the primary logon client, Windows 98 logs the user on to Windows 98, and then the network automatically uses that password. When a user logs on to other networks with different passwords and chooses to save them, the passwords are stored in the password list file. The Windows 98 password unlocks this file. Thereafter, Windows 98 will use the passwords stored in the password list file to log a user on to other networks, so that no additional passwords need to be typed. This single logon provides a solution to the problem of password proliferation.

The Passwords option in Control Panel provides a way to synchronize logon passwords for different networks. This allows users to use the password for whatever logon dialog box appears first (the primary network logon client or Windows 98 logon) for logging on to all other network clients.

To change a password for a network resource to be the same as the Windows 98 logon password

1. In Control Panel, double-click Passwords, and then click Change Windows Password.
2. In the Change Windows Password dialog box, select the other passwords you would like to change to use the same password as the Windows 98 password, and then click OK.

   To appear in this list, the related software must include a function that lets its password be changed.

3. In the second Change Windows Password dialog box, type the current (old) Windows 98 password, type a new password, and then, in the Confirm new password box, type the new password again. Click OK.

Note

The Windows Screen Saver passwords option appears here only if the Windows screen saver has been turned on and the password-protected option has been selected.

You can maintain separate passwords for a network resource and require users to type a password each time they access it.

To change a password for a network resource

1. In Control Panel, double-click Passwords, and then click Change Other Passwords.
2. In the Select Password dialog box, select the password you want to change, and then click Change.
3. In the Change Password dialog box, type the current (old) network password, type a new password, and then, in the Confirm new password box, type the new password again. Click OK.

   You must now type the new password to access the resource.

Note

You can also use the Passwords option to change individual passwords to other network resources to be different from the Windows 98 logon password.

Using Windows 98 with NetWare Passwords

To log on to a NetWare network, you must type the name of the preferred server on which the related user account is stored. After the user name and password are validated by the network server, you can use resources shared on that server. If you are not validated, you will be prompted to enter a password whenever connecting to a NetWare server during this work session.

The first time you attempt to connect to a NetWare server other than the preferred server, Windows 98 searches for an appropriate user name and password in the PWL file. If no matching set of credentials is found, Windows 98 tries to log on using the Windows 98 password. If this fails, Windows 98 displays a NetWare logon prompt for you to enter a valid user name and password, which can then be stored in the PWL file.

To avoid use of automatic NetWare logon

• Use system policies to enable the policy named Disable Automatic NetWare Login.

To change your password on a NetWare server

1. At the command prompt, use the net use command to connect to the NetWare server’s SYS volume. For example, for a server name NWSVR2, you would type:

   net use * \\nwsvr2\sys

2. At the command prompt, change to the drive for the NetWare server, and then make the Public folder the current folder. For example, if the drive is mapped to drive N, type:

   n:

   Then type:

   cd \public

   Note

   If you want to change your password on more than one server, connect to all affected servers before running the setpass command. Setpass is a utility provided by Novell and is not part of Windows 98.

3. At the command prompt, type setpass.

   If the server on which you want to change your password is different from the one on the current drive, type setpass and the name of the server.

   For example, to change your password on the server named NWSERVE1, type:

   setpass nwserve1

4. When you are prompted, type your old password, and then type and confirm the new password.
5. If you are connected to other NetWare servers that also use your old password, these servers are listed, and you are asked if you want to change your password on these servers also.

Using the Windows 98 Password Cache

Keeping track of multiple passwords can be a problem for users. Often, they either forget the passwords or write them down and post lists of passwords near their computers. When this happens, the security policy is no longer doing the job it was meant to do — to allow access to those who should have it and to deny access to those who should not.

Windows 98 solves this problem by storing passwords for resources in a password list file (PWL). This file stores passwords for the following network resources:

• Resources on a computer running Windows 98 that are protected by share-level security.
• Password-protected applications that have been specifically written to the password-caching application programming interface (API).
• Windows NT computers that do not participate in a domain.
• A Windows NT logon password that is not the Primary Network Logon.
• NetWare servers.

The password list file is stored in the Windows folder on the local computer by using an encryption algorithm. An unencrypted password is never sent across the network.

Caution

If you delete PWL files, you will lose all previously stored passwords. You will need to retype each password.

Password caching is enabled by default when you install Windows 98. When you access a password-protected resource for the first time, make sure the Save this password in your password list option is selected (it should be selected by default) to save the password to the password list file.

Note

If, during log on, you click Cancel to bypass the logon screen, the cache will not be opened, and you will be prompted for a password each time you attempt to use a protected resource.

You can disable password caching by using System Policy Editor, which is shipped on the Windows 98 compact disc but not automatically installed onto your system during Setup. Use the Add/Remove Programs option in Control Panel to install System Policy Editor.

To install System Policy Editor

1. In Control Panel, double-click Add/Remove Programs, click the Windows Setup tab, and then click Have Disk.
2. In the Install From Disk dialog box, click Browse and specify the Tools\Admin\Poledit folder on the Windows 98 compact disc.
3. Click OK, and then click OK again in response to the dialog boxes.
4. In the Have Disk dialog box, click System Policy Editor, and then click Install.

To disable password caching by using system policies

1. On the Start menu, click Run.
2. Type poledit, and then click OK.
3. In System Policy Editor, double-click the Local Computer icon.
4. In the Local Computer Properties, click Network.
5. Click Passwords.
6. Click the policy named Disable Password Caching.

For more information, see Chapter 8, "System Policies."

Note

If you have any share-level security servers and you disable password caching and are running Client for Microsoft Networks, you should not use the Quick Logon feature in the Network option in Control Panel.

Using Password List Editor

If password caching is enabled, Windows 98 caches passwords in the password list file when you connect to a password-protected network resource. Password List Editor (Pwledit) lets you view the resources listed in a user’s password list (PWL) file. It does not let you view the actual passwords, but lets you remove specific password entries if problems are encountered using a cached password.

Password List Editor works only if the password list file is unlocked, that is, if the user is logged on. It can be used to view only the contents of the logged-on user’s password list file, so you should run it on the user’s computer.

Note

Only users themselves can view or edit their own PWL files.

Password List Editor can be found in the Netadmin\Pwledit folder on the Windows 98 compact disc.

To install Password List Editor

1. In Control Panel, double-click Add/Remove Programs, click the Windows Setup tab, and then click Have Disk.
2. In the Install From Disk dialog box, click Browse.
3. Type the path name to Netadmin\Pwledit\Pwledit.inf, and then click OK.
4. In the Have Disk dialog box, click Password List Editor, and then click Install.

To run Password List Editor

• On the Start menu, click Run. Type pwledit, and then click OK.

Using System Policies to Enforce Password Security

You can use system policies to increase security by requiring users to follow specific password guidelines. Using system policies, you can enforce password policies.

For information about restricting settings with system policies, see Chapter 8, "System Policies."