MDofPC - How to manage your own account and password in Windows Vista

Assigning a Picture to a User Account

You can personalize your account by assigning a picture to it. The picture appears on the Welcome screen so all users of the computer see it and on the Start menu. Even the Guest user can change their picture. The picture for a user’s account can be of the BMP, GIF, JPG, PNG, or TIF file type. Windows shrinks the picture down to the appropriate size, but you’ll need to take care of any cropping or rotating first. Windows Photo Gallery can handle the rotation. Paint can handle both rotation and cropping, together with capturing a still picture from a webcam. See Article 6 for a brief discussion of Paint, and Article 23 for a discussion of Windows Photo Gallery. To change the picture for a user, follow these steps from the Change an Account window:

1. Click the Change the Picture link. Windows displays the Choose a New Picture for Username’s Account window where Username is the user’s name.

2. Choose the picture you want:

• To use a built-in picture, click it in the list box, and then click the Change Picture button.

• To use a picture of your own, click the Browse for More Pictures link. Windows displays an Open dialog box. Navigate to the picture you want to use, select it, and then click the Open button. Windows applies the picture to your account.

Click the Start button to check out how your picture looks on the Start menu. Now disconnect your session so that you can see how the picture looks on the Welcome screen.

Changing Your Own Account’s Picture Quickly

To change the picture for your user account, click the picture at the top of the Start menu. Windows displays the User Accounts window with the Make Changes to Your User Account screen showing. Click the Change Your Picture link.

Applying a Password to an Account

Windows Vista encourages you to create a password for the Administrator account that you create during setup, but after that you’re free to create Administrator accounts or Standard accounts without a password. For security, you should require a password for each account except for the Guest account, which can’t have a password, but which you can turn off. If you don’t require a password for an account, anyone can log on to that account. If it’s an Administrator account, whoever logs on can make major changes to Windows, such as creating other user accounts. To make Windows require passwords, take these steps from the Change an Account window:

1. Click the Create a Password link. Windows displays the Create a Password for Username’s Account window where Username is the user’s name. If you’re creating a password for your own account, you get the same text boxes but not the warnings.

2. Type the password in the New Password text box and the Confirm New Password text box. For security is someone looking over your shoulder?, Windows displays each character as an asterisk *.

3.If you think it appropriate, enter a password hint in the Type a Password Hint text box. Anybody trying to log on to the computer can display the password hint, so you need to tailor it carefully to the person. The password hint must mean something to the user without meaning anything to anyone else. It’s much easier to get this wrong than right. For security, do not use password hints, but create a password reset disk for each user.

4. Click the Create Password button. Windows applies the password to the account. If the two instances of the password didn’t match, Windows tells you so and returns you to the Create Password window. When you require passwords, Windows prompts the user for a password when they click their name on the Welcome screen. The user can click the Password Hint link to display the hint for the password. When a user account is password protected, Windows displays Password protected under the account type on the User Accounts screens. One problem that can occur with passwords is having the Caps Lock feature switched on, either when you’re creating the password or when you’re subsequently entering it. Windows does its best to warn you if the Caps Lock key is on when you’re entering a password, but if you miss the warnings, double-check Caps Lock first if Windows won’t accept your password. On keyboards with an embedded numeric keypad, such as those on most notebooks, you can give yourself a similar problem by having the Num Lock feature on while typing the password. Windows won’t warn you about this.

Passwords Are a Must

Passwords are more or less mandatory in any serious business setting, and they can be a good idea in many family or dorm situations as well. Even if everybody who can directly access your computer is above suspicion, you should also protect it against attack by remote malefactors across the Internet. Passwords are a major element in such protection, as is Windows Firewall. Unfortunately, Windows doesn’t have a high-security arrangement for implementing passwords. Ideally, there’d be a setting that you the Administrator user could set that would make each user apart from the Guest user create a password for their account the next time they used the computer. Each user would then create a password that only they would know, and the computer would be secure against unauthorized users logging on. Each user would be able to change their password whenever they wanted to or, better, would be made to change the password frequently and wouldn’t be able to remove password protection from the account. The Business versions of Windows Vista work somewhat like this, but the Home versions are less well protected. Given that Windows doesn’t have this ideal security arrangement, here’s what you should do:

1. As soon as you create a user account, assign a password to it. Write the password down, and give it to the user who will use the account. Tell the user to change the password

immediately, so that you don’t know the password. Don’t use a password hint.

2. If your computer already has a user account that doesn’t use a password, persuade the user to add a password immediately. Stress the beneﬁts of having a strong password that only the user knows.

3. If you suspect that your password has been compromised, change it immediately. Have all other users do the same.

4. Disable the Guest account. If a visitor needs to use the computer once, turn on the Guest account for as short a time as possible, and then turn it off again. Instead of making users create their own passwords, it’s possible to create passwords for a user yourself from an Administrator account. This method has two disadvantages. First, you know the passwords so the user will need to change the password as soon as possible. Second, and much worse, the user loses all the personal certificates they’ve stored, together with any passwords they’ve saved for network resources such as folders and printers and for websites. To avoid losing this information, it’s best to create the password before the user has used their account.

Removing Password Protection from an Account

Any user can remove the password protection from their own user account as follows:

1. Click the Start button, and then click your picture at the top of the Start menu. Windows opens the User Accounts window.

2. In the Make Changes to Your User Account list, click the Remove Your Password link. Windows displays the Remove Your Password window shown here.

3. In the Current Password text box, type your current password to verify your identity.

4. Click the Remove Password button. Windows removes the password and displays the User Accounts window again.

Encourage all users of your computer never to remove their passwords, because even one user account without a password opens the whole computer to attack. Just as an Administrator user can apply password protection to another user’s account, so they can remove it. But the same problem applies to removal as to application: The user loses all the personal certificates they’ve stored, together with any passwords they’ve saved for network resources such as folders and printers and for websites. So if you need to remove password protection from an account, it’s far better to have the users do it themselves.

How - and Why - to Create Secure Passwords

If you use passwords - and you should, if you value your data - it’s vital to make sure that they’re effective. You wouldn’t believe the number of people who don’t understand why passwords are important and who see them as an irritant. Actually, you might believe that. But would you believe that between 90 and 95 percent of all passwords are the same 100 words? This is what some security experts estimate based on the passwords they see in daily use. Crackers malevolent hackers try these popular passwords first when trying to guess a password because they work so often.

To create a secure password, it helps to understand how crackers go about breaking a password. The most common method is to use a dictionary attack. The attacker runs a script that tries to match each word in a specified “dictionary” with your password until it gets a hit. The dictionary can be in any language or a mixture of languages, and will usually contain all popular passwords in all major languages at its beginning. The dictionary isn’t so much a dictionary in the conventional sense as a list of words arranged in some kind of descending order of probability - most likely words first.

Dictionary attacks are often effective. But if the would-be victim has created a tough password by using the methods described below, the cracker may resort to social engineering - the art of extracting passwords from the unsuspecting by posing as someone in authority for example, as a system administrator or a troubleshooter for your ISP. Again, security experts tend to be amazed by how freely many users give up their passwords over the phone. Even worse, in an April 2004 survey of office workers in the UK, 71 percent traded what they claimed was their computer password for a chocolate egg. You have to hope that most of them lied.

To keep your password secure, never write it down and if you must write it down, don’t stick the paper containing it onto your computer or monitor and never tell anyone else what it is. You are the only person who ever needs to know your password. No ISP and no system administrator should need to be given your password, over the phone or in person. ISP personnel and system administrators may need to reset your password or assign you a new password - for example, if you forget your password. In this case, they’ll give you the new password. You then log on with it and create a new, secure password for yourself immediately. At least, that’s the theory.

Follow these rules to create a secure password:

• Create a password of an appropriate length. Windows, many ISPs, and most services will let you create passwords of any length between 6 characters and 15 characters. Treat 6 characters as the absolute minimum. Aim for a password of at least 8 characters, and more like 12 if you’re feeling insecure. Passwords of 5 characters or fewer are relatively easy to crack by brute force; passwords of 6 characters are much harder; and longer passwords are much harder yet. If you’re allowed to create a password of any length, be sensible and limit the password to a length that you can remember and type without undue stumbling.

• Never use a real word in any language for a password. Real words can be broken easily by a dictionary attack.

• Instead, use symbols @, $, %, ^, !, &, and so on as substitute characters in a word or phrase, or reduce a phrase or sentence to its initial letters or key letters. Mix letters and numbers. Use uppercase and lowercase creatively passwords are case sensitive. Alternatively, open a text editor, close your eyes, and type randomly for a few seconds, making sure to hold down the Shift key at intervals. Then pick a particularly cryptic part of the result to use as a password.

• Never use any example password that you see, no matter how compelling it may seem. For example, books on security provide example passwords. These may look wonderfully cryptic, but you should assume that they’re all known to crackers and included in cracking dictionaries.

• Never use information of personal relevance or importance - your pet’s name, a family member’s name, your birthday, your driver’s license number, your social security number, or perhaps the ultimate no-no your credit-card number. Most of these pieces of information can be obtained by trivial searches or the mildest of social engineering, making them near useless as passwords.

• Never use any option that offers to save a password for you. For example, Windows offers to store your dial-up passwords so that you can access your dial-up accounts more easily. These passwords not only let unauthorized users of your computer access your dial-up accounts effortlessly, but also can be cracked easily by commonly available programs.

• Use a different password for each account or program that requires one. That way, if one password is compromised, the others will still be secure.

• As soon as you suspect that a password may have been compromised, change it. Also change any associated passwords.

• Never repeat a password you’ve used in the past. Create an entirely new password each time you change a password.

• Memorize your passwords. Never write them down. If you write a password down, you’ve compromised it. If you must write a password down, keep it in the safest of places. If that place is virtual rather than physical, protect your password stash with another password - a good one.

• Never tell anybody any of your passwords - not even the ones you’ve stopped using. They might be able to use these passwords to guess at your newer passwords.

If you can follow the simple advice in this list, you’ll be ahead of 99 percent of the computer-using population - and much more secure than any of them.

That said, be warned that no password is totally secure. Any password can be broken by an attacker who has sufficient time, determination, and computer operations. But most crackers will not be prepared to spend more than a few minutes or, at the most, hours on any given password, and will swiftly move on to other targets. So your goal is to keep your passwords secure against random attackers, not against the NSA. If the NSA is on your case, you’ll have much worse things to worry about than whether your passwords are strong enough. To remove password protection from an account, follow these steps:

1. On the Change an Account screen, click the Remove Password link. Windows displays the Remove Password window shown here, which warns you of what the user will lose.

2.Click the Remove Password button. Windows removes the password, and then returns you to the Change an Account screen.

Creating a New Password for a User

If a user forgets their password, they won’t be able to log on to Windows. They’ll need to get an Administrator user to create a replacement password for them. But again, as with applying and removing passwords, the user loses all the personal certificates they’ve stored, together with any passwords they’ve saved for network resources such as folders and printers and for websites. To create a replacement password for another user, log on as an Administrator user and follow these steps:

1. On the Change an Account screen, click the Change Password link. Windows displays the Change Username’s Password window .

2.Type the password in the New Password text box, type it again in the Confirm New Password text box, and type a password hint if you must.

3. Click the Change Password button. Windows applies the new password and displays the Change an Account window again.

You’re probably thinking that all this losing of the user’s personal certificates and passwords should be avoidable, even if the user is unwise enough to forget their password. And it is avoidable. Read on.

This article was published on Wednesday 03 June, 2009.