In this article we will look at best practices for choosing a password, how to configure Outlook Express to remember your passwords, and what to do if Outlook Express forgets them.
Choosing a Password
Security experts agree that "best practice theory" requires that a password:
- Is typed manually each and every time it is required and
- Is random and
- Is unique and used in only one place and
- Is at the very least eight characters long, but fourteen or more is better and
- Contains a mix of upper and lowercase letters and at least one numeral or symbol (such as a punctuation mark) and
- Is changed regularly and frequently
These suggestions are based on a bit of common sense and a lot of complicated mathematical algorithms. They are designed not only to prevent someone guessing the password, but also to make it almost impossible for a computer program to crack the password. But the same experts readily acknowledge that what is best in theory is not always best in practice. If passwords are made too long or complicated to remember easily, it is highly likely that the user will write the password on a piece of paper and hide it, usually in an obvious spot quite close by the computer such as in the top drawer, under the keyboard or, far worse but surprisingly common, on the side of the monitor.
Passwords You Should Not Choose
Do not use a password if it:
- Can be found in the dictionary, including a foreign language dictionary
- Is a proper name, including your own or that of your ISP
- Is your birthday, anniversary or other important date that others might guess or discover in your papers
- Is your address, bank account or credit card number, passport number, or in fact any number that is used on any type of identification card
- Consists only of numbers or only of letters instead of a mix of numbers, letters and symbols, or
- s the name of your favorite pet, as that is often used as a hint question when you have forgotten a password
One increasingly popular solution to long and complicated passwords is to use a pass phrase instead. So instead of a password like "a4yIQX5!0," you might use something like "all cows can fly." Not only is a pass phrase easier to remember, it is also likely to be much longer yet still easy to type. Avoid common phrases however, such as "to be or not to be." Even substituting numbers or characters for letters does not make it very difficult for a dedicated cracker to guess that phrase. If you are interested in a much more detailed and highly technical discussion of passwords and pass phrases, there is an excellent three-part article on the Microsoft TechNet Web site, The Great Debates: Pass Phrases vs. Passwords.
High Marks for Bad English
Composing a password or pass phrase is perhaps the only time when it pays to spell incorrectly, provided your misspellings are not common ones. For the strongest possible pass phrase, combine misspelling with bad grammar, and make some character substitutions, as in "one never dusn't kn0w, do 1?"
Whether you use multiple Identities in Outlook Express or not, you can protect your Identity with a password if you choose. Many users choose not to do so because they do not share their computer with others, or because they rely on their Windows logon password to prevent other users from seeing their files. The Identity password is designed for minimal privacy and not strong security. While it will stop a casual user from opening your Outlook Express Identity, it is still very easy for a knowledgeable user to access your message store without having to enter your Identity password. Identity passwords are also limited to 15 characters or less, so using a long pass phrase is not possible. For strong security you should use password-protected Windows User accounts instead of Outlook Express Identities.
Windows XP Service Pack 2 (SP2) makes an important change regarding Identity passwords. Prior to SP2, if you use a password for your Identity you are not prompted again for the password even if you close and then re-open Outlook Express. This is because your Identity remains logged on. In order to be prompted for the password when Outlook Express starts, you have to close Outlook Express by clicking Exit and Log Off Identity on the File menu, rather than by simply closing the window as you normally do. After installing SP2, Outlook Express will always prompt for the password when it starts regardless of whether your Identity has logged off.
To add, change or remove an Identity password:
- On the File menu, click Identities, then click Manage Identities
- Double-click the Identity you wish to edit
- Clear the check box labeled "Require a password."
Outlook Express can remember the passwords of some or all of your e-mail and news accounts so that you don't have to type them each time you check for new messages or open a news folder. This is configured on each account's Server Properties page.
To administer an account's passwords:
- Click Accounts on the Tools menu
- Double-click the account you wish to change
- Click the Servers tab
The Server Properties page allows you to configure an account's passwords. To make Outlook Express remember the password for the account, simply check the box labeled Remember password.
If you forget your Identity password, you will not be able to recover it. Furthermore, since account passwords are stored in the Windows registry under a particular Identity, even if you have never used more than one Identity, you will also be unable to recover their passwords. You only option is to create a new Identity from the Identity logon window, re-enter your accounts information, and then import your mail folders as follows:
- On the File menu, click Import, then click Messages
- Select "Microsoft Outlook Express 6" from the list and click Next.
- Select Import mail from an OE6 store directory and click OK
- Browse to the original Identity's store folder
- Select the folders to be imported and click Next
- When the import process is complete click Finish to close the import wizard.
To remove the original Identity you will have to edit the Windows registry. This is best left to experienced users.
It sometimes happens that Outlook Express stops remembering account passwords. This can be caused by anti-virus e-mail scanners. Disabling the e-mail scan usually corrects this problem, but you will probably have to re-enter the account settings on the Servers Properties page and verify the Remember Password box is still checked.
If Outlook Express still cannot remember passwords, the problem probably lies in the Windows Protected Storage Service. You should first verify that the service is running:
- On the Start menu, click Control Panel
- Double click Administrative Tools to open it
- In the Administrative Tools window double click Service to open it
- On the right pane, scroll down and see if Protected Storage status is Started
- If the status is not Started, double click on it
- Set the Startup type to Automatic and click OK
- Restart your computer.
If the problem continues, the registry entries for the Protect Storage are probably damaged. The solution involves careful editing of the registry, and is explained in detail in these Knowledge Base articles.Outlook Express and Outlook repeatedly prompt you for your password when you check messages on an Exchange Server-based computerSave password setting not retained in Outlook or Outlook Express
If you forget an account password, there is little that can be done by the online community or Windows Product Support. You will have to contact your ISP or account owner and request a new password.