Using same password for both Local Admin and Standard accounts?

Page 1 of 2 12 LastLast

  1. Posts : 581
    Win10
       #1

    Using same password for both Local Admin and Standard accounts?


    Hi everyone!

    Just need some user account advise here.

    -I am the only person using my machine and no one else.
    -Machine is a Standalone meaning it is not domain-joined.
    -Running BitLocker full encryption with TPM and PIN
    -User account lockout after failed password attempts are Enabled
    -Password is long and complex
    -UAC for both local Admin and Standard accounts are set to Prompt for Credentials on the Secure Desktop

    Here is my question, can I use the same password for both Admin and my Standard accounts?


    .
      My Computer

  2. Paul Black's Avatar
    Posts : 12,492
    Win 10 Pro 64-bit v1909 - Build 18363 Custom ISO Install
       #2

    Hello @win10freak,

    win10freak said:
    -I am the only person using my machine and no one else.
    -Machine is a Standalone meaning it is not domain-joined.
    -Running BitLocker full encryption with TPM and PIN
    -User account lockout after failed password attempts are Enabled
    -Password is long and complex
    -UAC for both local Admin and Standard accounts are set to Prompt for Credentials on the Secure Desktop.

    Here is my question, can I use the same password for both Admin and my Standard accounts?

    If you really need to use passwords, and seeing you are using a long and complex password already, you could just add a character/number to the end of the existing one for the Admin.

    Just a thought!
      My Computer

  3.   My Computers


  4. Posts : 581
    Win10
    Thread Starter
       #4

    Why should I not use the same password for both accounts?

    Iím the only one using the system and rarely login to my Admin account.

    I can understand using a different passwords for business environments with many users, but Iím the only one using my machine.

    Using my standard account for daily work.
      My Computer

  5. Paul Black's Avatar
    Posts : 12,492
    Win 10 Pro 64-bit v1909 - Build 18363 Custom ISO Install
       #5

    win10freak said:
    Why should I not use the same password for both accounts?

    I’m the only one using the system and rarely login to my Admin account.

    I can understand using a different passwords for business environments with many users, but I’m the only one using my machine.

    Using my standard account for daily work.
    Why do you need a Local [ user ] password at all?
      My Computer


  6. Posts : 581
    Win10
    Thread Starter
       #6

    Why do you ask this?

    Because sometimes I just need to lock my laptop without shutting down.

    Might be the reason you asked because I have a BitLocker PIN as well. But it only ask this when powering on my laptop.

    - - - Updated - - -

    In my case from my original post, is it fine to use the same password for both Admin and Standard accounts?
      My Computer

  7. zebal's Avatar
    Posts : 906
    Windows 10 Pro x64 20H2 (Build: 19042.867)
       #7

    win10freak said:
    Why should I not use the same password for both accounts?

    Iím the only one using the system and rarely login to my Admin account.
    You should not use the same password because that's almost the same thing as not having standard user account but just using administrative account.

    There is a technique call "privilege escalation", and if you have same password you'll make attacker's job easier.

    Using my standard account for daily work.
    Keep in mind that for this to be most effective you need UAC maxed out, this way "privilege escalation" scenario is less likely.

    If having separate password for each account is such a problem, make your standard user account password short, ex. max. 5 characters, because loosing control of standard account isn't problem at all for local system; important is that Admin account is min. 8 chars with complexity policy in place. (loosing Admin account means loosing everything else)

    If you want to go one step further and make your accounts even more safe make sure user accounts are not enumerated during login or UAC approval.

    Also important step is to prevent keyloggers from capturing your password as you type them, to ensure this does not happen never use hardware keyboard for UAC or login prompt, use virtual keyboard instead.

    If you use remote access to your computer make sure CTRL + ALT + DEL is required prior to logging in.
      My Computer


  8. Posts : 581
    Win10
    Thread Starter
       #8

    Thanks for the detailed explanation.

    I just set a different password for my Admin account.

    I set the UAC for the Standard account to Prompt for Credentials on the Secure Desktop.

    Recently, I did set all user accounts to not show on the Windows login screen meaning that I would have to type in my username and password.

    However, when I just lock my screen, it does show my username. Would that be an issue?

    I know there is also a group policy to not show the username when session is locked, but is it really needed?

    All other login or sign-in methods do not show username, only when I just lock my laptop.
      My Computer

  9. zebal's Avatar
    Posts : 906
    Windows 10 Pro x64 20H2 (Build: 19042.867)
       #9

    Here is a complete solution:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
    Interactive logon: don't display username at sign in (Enabled)
    Interactive logon: Do not require CTRL+ALT+DEL (Disabled)
    Interactive logon: don't display last signed-in (Enabled)
    Interactive logon: Display user information when the session is locked (Do no display user information)
    User Account Control: Behavior of the elevation prompt for standard users (Prompt for credentials on the secure desktop)

    Computer Configuration\Administrative Templates\Windows Components\Credential User Interface
    Enumerate administrator accounts on elevation (Disabled)

    If in addition you want to see solid background on logon screen then:

    Computer Configuration\Administrative Templates\Control Panel\Personalization
    Do not display the lock screen (Disabled)
    Prevent changing lock screen and logon image
      My Computer


  10. Posts : 581
    Win10
    Thread Starter
       #10

    Many thanks for this!

    Itís interesting, because if no username is shown on the login or Lock Screen session, then itís still rather easy for a user to find out the username once after signing into the machine, such as in the C\Users directory, the CMD prompt, and from among many other locations.

    Since I will not remotely access my laptop and also have Remote Desktop disabled, do I really need the CTRL+ALT+DEL policy to be set?
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 22:58.
Find Us




Windows 10 Forums