In the current Windows version (Vista), as in all previous versions, creating a user account without setting a password is possible. For a personal PC this might be without too much risk, although it is not recommended, even by Microsoft itself. However, for business computers it is necessary to restrict access to the computers, starting with defining a different password for every user account. For the earlier versions of Windows, a lot of resources can be found giving advice how to construct passwords of user accounts. In some extent they contain remarks concerning the suitability of their solution for Windows Vista. But all these resources are not very precise about what kind of passwords the user must use. To assess the protection of passwords, it is very useful to know how effective the widely available applications for cracking passwords. This research analyzes, in which way an attacker is able to obtain the password of a Windows Vista PC. During this research the physical access to the PC is needed. This research shows that password consists of 8 characters with small letter characters and numbers can easily be cracked if it has know usual combinations. Whereas a Dictionary Attack will probably not find unusual combinations. Adding captel letter characters will make the process harder as there are several more combinations, so it will take longer time but is still feasible. Taking into account special characters it will probably take too long time and even most Dictionary Attacks will fail. For rainbow tables the size of the table has to be considered. If it is not too big, even these small passwords cannot be cracked. For longer passwords probably the simplest ones, small letter characters and numbers, can be cracked only. In this case brute force takes too long time in most cases and a dictionary will contain only a few words this long and even the rainbow tables become too large for normal use. They can only be successful if enough limitations are known and the overall size of the table can be limited.
