Friday, October 8, 2010

Temporarily Lock Your PC if Somebody Tries to Guess Your Password

Have you ever worried that someone could figure out your password by trying different key combinations?  Here’s how you can prevent this by temporarily locking your computer when the password is entered incorrectly a couple of times.

What we’ll do is use Windows security settings to temporarily lock out the account for 30 minutes whenever the wrong password is entered 3 times. This will prevent them from being able to repeatedly guess your password, or at least make it take a lot longer.
Important Note: This setting can also let somebody prank you by incorrectly entering the password 3 times and lock you out for 30 minutes. It would be wise to have another administrator account that can unlock the regular account. Either way, use caution with this setting.
Secondary Note: if somebody has physical access to your PC, they can easily reset your Windows password with the Ubuntu Live CD, the System Rescue CD, or the Ultimate Boot CD, unless you are using total drive encryption with TrueCrypt or BitLocker.

Change Your Local Security Policy

To change your password settings, open the Local Security Policy settings dialog.
Please Note: Local Security Policy is only available on Business, Professional, Enterprise, and Ultimate versions of Windows 7 and Vista.  If you’re using Starter, Home Basic, or Home Premium, you’ll need to use the Command Prompt method listed below.
To open Local Security Policy, simply enter it in the Start menu search box and select the correct entry.
image
Now, double-click Account Policies on the left and select Account Lockout Policy.
image
By default, your account should not automatically lock out when the password is entered incorrectly.  To change this, double-click on the Account lockout threshold entry.
image
In this dialog, enter the number of times you want to allow before your account will lock out.  We entered 3, so our account will automatically lock out if the password is entered incorrectly 3 times in a row.  Click Ok to save your settings.
image
Windows will prompt you to set suggested settings for Account lockout duration and the length of time to Reset account lockout counter.  This will choose 30 minutes by default; you can select another time, or go with the defaults by clicking Ok.
image
You’ll now see your new settings in the Local Security Policy dialog.  With our settings, our account will be locked for 30 minutes if the password is entered incorrectly 3 times in a row.  If you want to change the settings, simply repeat these steps and enter the new settings you want.
image

Change Password Settings in Command Prompt

If you’re using a home edition of Windows, or prefer working in command prompt, you can change the password lock settings directly from command prompt.  First, open an Administrative command prompt.  To do this, right-click on the Command Prompt link in the Start menu and select Run as Administrator.
image
Now, in the command prompt, enter the following:
net accounts
This will list your current password policy, which by default should Lockout threshold: Neverwhich means that your account will not lock you out if the password is entered incorrectly.
image
Let’s change this to automatically lock us out when then password is entered incorrectly.
Please Note: Before you proceed, make sure to complete the full directions, or you couldpermanently lock your accounts on a  Home Premium computer.
To change the setting and make your login automatically lock you out, enter the following, substituting the number at the end with the number of times you want to allow the password to be entered before the account is locked.  Make sure to set this as 1 or more.
net accounts /lockoutthreshold:3
Here we set the account to lock out after the password is entered incorrectly 3 times.
image
Now, you need to set how long the account will be locked when the password is entered incorrectly.  Enter the following, again choosing any option over 1.  We set our computer to lock for 30 minutes, but you can choose less or more, depending on your needs.
net accounts /lockoutduration:30
Then enter the following to choose how long to wait before the incorrect login count is reset.  We recommend entering the same number you used for the lockout duration.
net accounts /lockoutwindow:30
Once you’re finished, you can enter net accounts again to review your settings.  They should look something like the settings below, depending on what you chose.
image
Now you’re all set.  Your account will automatically prevent people from logging in if the password is entered incorrectly too many times.  If you ever want to change or remove the settings, just repeat the steps with the new options you want.
Let’s see how this works in action.

Logging In With The Password Limit

After setting your new password policy, your login experience won’t be much different than before unless you enter your password incorrectly.  The main login screen won’t look any different than before; just select your user account and enter your password as before.
image
If the password is entered incorrectly, you’ll be prompted that it’s incorrect.  Click Ok, and then go back and enter the password again.
image
Then, if you enter the password incorrectly more than the number of times you set before, you’ll be prompted that the account is current locked.  You’ll need to wait the length of time you set before you can log in again.  In our test here, we entered the password incorrectly 3 times, and then had to wait 30 minutes before we could try again.
image
While this may not make your computer fully secure, it does help keep people from casually snooping on your computer while it’s running.  This will make it much harder for someone to guess your password, since they’ll be blocked out after entering it incorrectly several times. 
Don’t forget that you can quickly lock your computer by pressing Win+L on your keyboard, which is a good idea if you want to keep your data safe when you’re away from your desk.  Also, you can set your computer to automatically switch to the login screen when you’re away if you wish.