Change password policy settings


You must be logged on as an administrator to perform these steps.

If your computer is on a domain, only your network administrator can change password policy settings.

You can help protect your computer by customizing your password policy settings, including requiring users to change their password regularly, specifying a minimum length for passwords, and requiring passwords to meet certain complexity requirements.

  1. Open Local Security Policy by clicking the Start button Picture of the Start button, typing secpol.msc into the search box, and then clicking secpol. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

  2. In the left pane, double-click Account Policies, and then click Password Policy.

  3. Double-click the item in the Policy list that you want to change, change the setting, and then click OK.

    This table lists the password policy settings that are available, explains how each setting works, and provides a recommendation for each setting.

    Policy What it does What we recommend
    Policy

    Enforce password history

    What it does

    Prevents users from creating a new password that is the same as their current password or a recently used password. To specify how many passwords are remembered, provide a value. For example, a value of 1 means that only the last password will be remembered, and a value of 5 means that the previous five passwords will be remembered.

    What we recommend

    Use a number that is greater than 1.

    Policy

    Maximum password age

    What it does

    Sets the maximum number of days that a password is valid. After this number of days, the user will have to change the password.

    What we recommend

    Set a maximum password age of 70 days. Setting the number of days too high provides hackers with an extended window of opportunity to crack the password. Setting the number of days too low might be frustrating for users who have to change their passwords too frequently.

    Policy

    Minimum password age

    What it does

    Sets the minimum number of days that must pass before a password can be changed.

    What we recommend

    Set the minimum password age to at least 1 day. By doing so, you require that the user can only change their password once a day. This will help to enforce other settings. For example, if the past five passwords are remembered, this will ensure that at least five days must pass before the user can reuse their original password. If the minimum password age is set to 0, the user can change their password six times on the same day and begin reusing their original password on the same day.

    Policy

    Minimum password length

    What it does

    Specifies the fewest number of characters a password can have.

    What we recommend

    Set the length between 8 and 12 characters (provided that they also meet complexity requirements). A longer password is more difficult to crack than a shorter password, assuming the password is not a word or common phrase. If you are not concerned about someone in your office or home using your computer, however, using no password gives you better protection against a hacker trying to break into your computer from the Internet or another network than an easily guessed password would. If you use no password, Windows automatically prevents anyone from logging on to your computer from the Internet or another network.

    Policy

    Password must meet complexity requirements

    What it does

    Requires that passwords:

    • Be at least six characters long

    • Contain a combination of at least three of the following characters: uppercase letters, lowercase letters, numbers, symbols (punctuation marks)

    • Don't contain the user's user name or screen name

    What we recommend

    Enable this setting. These complexity requirements can help create a strong password.

    Policy

    Store passwords using reversible encryption

    What it does

    Stores the password without encrypting it.

    What we recommend

    Do not use this setting unless you use a program that requires it.



Need more help?