Change password policy settings
You must be logged on as an administrator to perform these steps.
If your computer is on a domain, only your network administrator can change password policy settings.
You can help protect your computer by customizing your password policy settings, including requiring users to change their password regularly, specifying a minimum length for passwords, and requiring passwords to meet certain complexity requirements.
-
Open Local Security Policy by clicking the Start button 
, typing secpol.msc into the Search box, and then clicking secpol.
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
-
In the Navigation pane, double-click Account Policies, and then click Password Policy.
-
Double-click the item in the Policy list that you want to change.
This table lists the password policy settings that are available, explains how each setting works, and provides a recommendation for each setting.
|
Policy
| |
What it does
| |
What we recommend
|
|
Password must meet complexity requirements
| |
Requires that passwords:
-
Be at least six characters long.
-
Contain a combination of at least three of the following characters: uppercase letters, lowercase letters, numbers, symbols (punctuation marks).
-
Do not contain the user's user name or screen name.
| |
Enable this setting. These complexity requirements can help create a strong password.
|
|
Enforce password history
| |
Prevents users from creating a new password that is the same as their current password or a recently used password. To specify how many passwords are remembered, provide a value. For example, a value of 1 means that only the last password will be remembered, and a value of 5 means that the previous five passwords will be remembered.
| |
Use a number that is greater than 1.
|
|
Maximum password age
| |
Sets the maximum number of days that a password is valid. After this number of days, the user will have to change the password.
| |
Set a maximum password age of 70 days. Setting the number of days too high provides hackers with an extended window of opportunity to crack the password. Setting the number of days too low might be frustrating for users who have to change their passwords too frequently.
|
|
Minimum password age
| |
Sets the minimum number of days that must pass before a password can be changed.
| |
Set the minimum password age to at least 1 day. By doing so, you require that the user can only change their password once a day. This will help to enforce other settings. For example, if the past five passwords are remembered, this will ensure that at least five days must pass before the user can re-use their original password. If the minimum password age is set to 0, the user can change their password six times on the same day and begin re-using their original password on the same day.
|
|
Minimum password length
| |
Specifies the fewest number of characters a password can have.
| |
Set the length between 8 and 12 characters (provided that they also meet complexity requirements). A longer password is more difficult to crack than a shorter password, assuming the password is not a word or common phrase. If you are not concerned about someone in your office or home using your computer, however, using no password gives you better protection against a hacker trying to break into your computer from the Internet or another network than an easily guessed password would. If you use no password, Windows automatically prevents anyone from logging on to your computer from the Internet or another network.
|
|
Store passwords using reversible encryption
| |
Stores the password without encrypting it.
| |
Do not use this setting unless you use a program that requires it.
|
