Securing User Accounts and Passwords in Windows

This How-To Geek School class is intended for people who want to learn more about security when using Windows operating systems. You will learn many principles that will help you have a more secure computing experience and will get the chance to use all the important security tools and features that are bundled with Windows. Obviously, we will share everything you need to know about using them effectively.

In this first lesson, we will talk about password security; the different ways of logging into Windows and how secure they are. In the proceeding lesson, we will explain where Windows stores all the user names and passwords you enter while working in this operating systems, how safe they are, and how to manage this data.

Moving on in the series, we will talk about User Account Control, its role in improving the security of your system, and how to use Windows Defender in order to protect your system from malware. Then, we will talk about the Windows Firewall, how to use it in order to manage the apps that get access to the network and the Internet, and how to create your own filtering rules.

After that, we will discuss the SmartScreen Filter – a security feature that gets more and more attention from Microsoft and is now widely used in its Windows 8.x operating systems. Moving on, we will discuss ways to keep your software and apps up-to-date, why this is important and which tools you can use to automate this process as much as possible.

Last but not least, we will discuss the Action Center and its role in keeping you informed about what’s going on with your system and share several tips and tricks about how to stay safe when using your computer and the Internet. Let’s get started by discussing everyone’s favorite subject: passwords.

The Types of Passwords Found in Windows

In Windows 7, you have only local user accounts, which may or may not have a password. For example, you can easily set a blank password for any user account, even if that one is an administrator. The only exception to this rule are business networks where domain policies force all user accounts to use a non-blank password.

clip_image001

In Windows 8.x, you have both local accounts and Microsoft accounts. If you would like to learn more about them, don’t hesitate to read the lesson on User Accounts, Groups, Permissions & Their Role in Sharing, in our Windows Networking series.

Microsoft accounts are obliged to use a non-blank password due to the fact that a Microsoft account gives you access to Microsoft services. Using a blank password would mean exposing yourself to lots of problems. Local accounts in Windows 8.1 however, can use a blank password.

On top of traditional passwords, any user account can create and use a 4-digit PIN or a picture password. These concepts were introduced by Microsoft to speed up the sign in process for the Windows 8.x operating system. However, they do not replace the use of a traditional password and can be used only in conjunction with a traditional user account password.

clip_image002

Another type of password that you encounter in Windows operating systems is the Homegroup password. In a typical home network, users can use the Homegroup to easily share resources. A Homegroup can be joined by a Windows device only by using the Homegroup password. If you would like to learn more about the Homegroup and how to use it for network sharing, don’t hesitate to read our Windows Networking series.

What to Keep in Mind When Creating Passwords, PINs and Picture Passwords

When creating passwords, a PIN, or a picture password for your user account, we would like you keep in mind the following recommendations:

  • Do not use blank passwords, even on the desktop computers in your home. You never know who may gain unwanted access to them. Also, malware can run more easily as administrator because you do not have a password. Trading your security for convenience when logging in is never a good idea.
  • When creating a password, make it at least eight characters long, but ideally 12 or even 20 if possible. Make sure that it includes a random mix of upper and lowercase letters, numbers, and symbols. Ideally, it should not be related in any way to your name, username, or company name. Make sure that your passwords do not include complete words from any dictionary. Dictionaries are the first thing crackers use to hack passwords.
  • Do not use the same password for more than one account. All of your passwords should be unique and you should use a system like LastPass, KeePass, Roboform or something similar to keep track of them. Note: obviously you won’t be putting your Windows password into a password manager application, but for every other password, you should probably use one.
  • When creating a PIN use four different digits to make things slightly harder to crack.
  • When creating a picture password, pick a photo that has at least 10 “points of interests.” Points of interests are areas that serve as a landmark for your gestures. Use a random mixture of gesture types and sequence and make sure that you do not repeat the same gesture twice. Be aware that smudges on the screen could potentially reveal your gestures to others.

The Security of Your Password vs. the PIN and the Picture Password

Any kind of password can be cracked with enough effort and the appropriate tools. There is no such thing as a completely secure password. However, passwords created using only a few security principles are much harder to crack than others. If you respect the recommendations shared in the previous section of this lesson, you will end up having reasonably secure passwords.

Out of all the log in methods in Windows 8.x, the PIN is the easiest to brute force because PINs are restricted to four digits and there are only 10,000 possible unique combinations available. The picture password is more secure than the PIN because it provides many more opportunities for creating unique combinations of gestures. Microsoft have compared the two login options from a security perspective in this post: Signing in with a picture password.

In order to discourage brute force attacks against picture passwords and PINs, Windows defaults to your traditional text password after five failed attempts.

The PIN and the picture password function only as alternative login methods to Windows 8.x. Therefore, if someone cracks them, he or she doesn’t have access to your user account password. However, that person can use all the apps installed on your Windows 8.x device, access your files, data, and so on.

How to Create a PIN in Windows 8.x

If you log in to a Windows 8.x device with a user account that has a non-blank password, then you can create a 4-digit PIN for it, to use it as a complementary login method. In order to create one, you need to go to “PC Settings.” If you don’t know how, then press Windows + C on your keyboard or flick from the right edge of the screen, on a touch-enabled device, then press “Settings.”

clip_image004

The Settings charm is now open. Click or tap the link that says “Change PC settings,” on the bottom of the charm.

clip_image005

In PC settings, go to Accounts and then to “Sign-in options.” Here you will find all the necessary options for changing your existing password, creating a PIN, or a picture password.

To create a PIN, press the “Add” button in the PIN section.

clip_image007

The “Create a PIN” wizard is started and you are asked to enter the password of your user account. Type it and press “OK.”

clip_image009

Now you are asked to enter a 4-digit pin in the “Enter PIN” and “Confirm PIN” fields.

clip_image011

The PIN has been created and you can now use it to log in to Windows.

How to Create a Picture Password in Windows 8.x

If you log in to a Windows 8.x device with a user account that has a non-blank password, then you can also create a picture password and use it as a complementary login method. In order to create one, you need to go to “PC settings.”

In PC Settings, go to Accounts and then to “Sign-in options.” Here you will find all the necessary options for changing your existing password, creating a PIN, or a picture password. To create a picture password, press the “Add” button in the “Picture password” section.

clip_image012

The “Create a picture password” wizard is started and you are asked to enter the password of your user account.

clip_image014

You are shown a guide on how the picture password works. Take a few seconds to watch it and learn the gestures that can be used for your picture password. You will learn that you can create a combination of circles, straight lines, and taps. When ready, press “Choose picture.”

clip_image016

Browse your Windows 8.x device and select the picture you want to use for your password and press “Open.”

clip_image018

Now you can drag the picture to position it the way you want. When you like how the picture is positioned, press “Use this picture” on the left. If you are not happy with the picture, press “Choose new picture” and select a new one, as shown during the previous step.

clip_image020

After you have confirmed that you want to use this picture, you are asked to set up your gestures for the picture password. Draw three gestures on the picture, any combination you wish. Please remember that you can use only three gestures: circles, straight lines, and taps.

clip_image022

Once you have drawn those three gestures, you are asked to confirm. Draw the same gestures one more time. If everything goes well, you are informed that you have created your picture password and that you can use it the next time you sign in to Windows. If you don’t confirm the gestures correctly, you will be asked to try again, until you draw the same gestures twice.

clip_image024

To close the picture password wizard, press “Finish.”

Where Does Windows Store Your Passwords? Are They Safe?

All the passwords that you enter in Windows and save for future use are stored in the Credential Manager. This tool is a vault with the usernames and passwords that you use to log on to your computer, to other computers on the network, to apps from the Windows Store, or to websites using Internet Explorer. By storing these credentials, Windows can automatically log you the next time you access the same app, network share, or website. Everything that is stored in the Credential Manager is encrypted for your protection.

To access the Credential Manager, you need to open the Control Panel and go to “User Accounts and Family Safety -> Credential Manager.” In Windows 8.x operating systems, the Credential Manager has two main vaults: “Web Credentials” and “Windows Credentials.”

The Web Credentials vault stores the user names and passwords that you use in Windows Store apps, and when you log in to websites in Internet Explorer. Third-party browsers have their own password storing features and do not store their usernames and passwords in the Windows vault.

When you browse through these credentials you will notice that they are displayed in an encrypted fashion and you cannot tell which apps or websites they are used for, nor can you learn the actual login credentials.

clip_image026

In the Windows Credentials vault, Windows stores the login details for your computer, for the Homegroup, and for accessing other computers on the network. These credentials are also encrypted and you cannot learn the passwords that are stored by looking at each entry in the vault.

In Windows 7, the Credentials Manager has only one vault – the Windows Vault. Windows 7 doesn’t use a Web Credentials vault for storing the user names and passwords used when browsing the web in Internet Explorer.

clip_image028

How to Add Credentials for Accessing Another Computer on the Network

You can manually add the login credentials for accessing an Internet or network address or another computer on the network. To give you an example of how the whole process works, let’s see how you add the credentials for a network computer whose shared resources you want to access.

In the Credential Manager click the link that says “Add a Windows credential” in the Windows Credential/Windows Vault section.

clip_image030

In the “Add a Windows Credential” window, type the IP address or the name of the network computer you want to access. In the “User name” field, type first the name of that computer, followed by \ and then the user account you will use to log in. In the “Password” field, type the password for that user account. When done, press “OK” and the credentials are now stored and used automatically the next time you access that network computer.

clip_image032

How to Remove Credentials from the Credential Manager

There are scenarios when a computer on your network has changed the password for the user account you have used to access it. In that case, you will no longer want Windows to use those old credentials for accessing that computer. You can easily remove them from the Credentials Manager.

Go to the Windows Credentials/Windows Vault section and expand the credentials for that computer, then click the “Remove” button.

clip_image034

You are asked to confirm the deletion of those credentials, press “Yes” and they are removed.

clip_image035

Now you can enter the new credentials in the Credential Manager or you can access that network computer as you normally would, and you will be asked to enter the new ones. Obviously, they will end up being stored in the Credential Manager.

The process for removing credentials for web sites and apps is the same. The only difference is that you need to go to the Web Credentials section.

How to Back Up the User Names and Passwords Stored by Windows

Very few people know that you can manually back up the usernames and passwords stored by Windows in a file that’s encrypted and locked with a password. This file has the extension “.crd” (Credential Backup Files) and you can store it on an external hard drive, a memory stick, or any folder on your computer.

To back them up, click the link that says “Back up Credentials” in the Windows Credentials/Windows Vault section.

clip_image037

The “Stored User Names and Passwords” window is shown. Here, click “Browse,” select the location where you want to save the file, give it a name, and press “Save.”

To go to the next step, press “Next.”

clip_image038

Press “Ctrl + Alt + Delete” to continue your backup on a secure Desktop, which cannot intercepted by taking remote screenshots or any kind of remote monitoring tools.

clip_image039

The screen will turn black and you will see only the “Stored User Names and Passwords” window. Here you are asked to type a password to protect your file. Type a long password, using the recommendations we made earlier in this lesson, and then press “Next.”

clip_image040

You are now informed that the backup was successful. Your credentials are now stored in the file you have created, in the location you selected.

Press “Finish” to close the wizard.

clip_image041

Now you can use this backup file to restore your usernames and passwords on another computer or on the same computer after you reinstall the operating system.

How to Restore the User Names and Passwords Stored by Windows

If you have a backup file with all the usernames and passwords you have used on a Windows computer, you can use it at any time to restore them on the same computer, in case you have reinstalled the operating system or another computer that you are using.

To restore your usernames and passwords, go to the Credential Manager and then to the Windows Credentials/Windows Vault section. Look for the link that says “Restore Credentials” and click on it.

clip_image043

The “Stored User Names and Passwords” window is shown. Click “Browse” and select the backup file that you want to use, then press “Next.”

clip_image044

Press “Ctrl + Alt + Delete” to continue your backup on a secure Desktop, which cannot intercepted by taking remote screenshots or any kind of remote monitoring tools.

clip_image045

The screen will turn black and you will see only the “Stored User Names and Passwords” window. Here you are asked to type the password used to protect your file.

Type it and press “Next.”

clip_image046

You are informed that your credentials have been stored.

clip_image047

Press “Finish” to close the wizard. The usernames and passwords that you have restored will be now used by Windows automatically whenever they are required.

Coming up next …

That’s it for this lesson. In the next episode we will discuss about the User Account Control (UAC) in Windows, how it works, and why it is important for the security of your system.

Ciprian Adrian Rusen is an experienced technology writer and author with several titles published internationally by Microsoft Press. You can connect with him on 7 Tutorials, Twitter, and Google+ or even buy his books on Amazon.