Open Windows Local Security Policy Console
Open Windows Local Security Policy Console
Open the Microsoft Windows Local Security Policy console and navigate to the Password Policies following these steps:
Enforce Password History
Double-click on the Enforce password history policy to open the policy configuration screen.
This setting ensures that a given password can not just be re-used. Set this policy to force a wider variety of passwords and make sure that the same password is not re-used over and over.
You can assign any number between 0 and 24. Setting the policy at 0 means that password history is not enforced. Any other number assigns the number of passwords that will be saved.
Maximum Password Age
Double-click on the Maximum Password Age policy to open the policy configuration screen.
This setting basically sets an expiration date for user passwords. The policy can be set for anything between 0 and 42 days. Setting the policy at 0 is equivalent to setting the passwords to never expire.
It is recommended that this policy be set for 30 or less to ensure user passwords are changed on at least a monthly basis.
Minimum Password Age
Double-click on the Minimum Password Age policy to open the policy configuration screen.
This policy establishes a minimum number of days that must pass before the password is allowed to be changed again. This policy, in combination with the Enforce password hisory policy, can be used to make sure that users don't just keep resetting their password until they can use the same one again. If the Enforce password history policy is enabled, this policy should be set for at least 3 days.
The Minimum Password Age can never be higher than the Maximum Password Age. If the Maximum Password Age is disabled, or set to 0, the Minimum Password Age can be set for any number between 0 and 998 days.
Minimum Password Length
Double-click on the Minimum Password Length policy to open the policy configuration screen.
While it is not 100% true, generally speaking the longer a password is, the harder it is for a password cracking tool to figure it out. Longer passwords have exponentially more possible combinations, so they are harder to break and, therefore, more secure.
With this policy setting, you can assign a minimum number of characters for account passwords.
The number can be anything from 0 to 14. It is generally recommended that passwords be a minimum of 7 or 8 characters to make them sufficiently secure.
Password Must Meet Complexity Requirements
Double-click on the Password Must Meet Complexity Requirements policy to open the policy configuration screen.
Having a password of 8 characters is generally more secure than a password of 6 characters. However, if the 8-character password is "password" and the 6-character password is "p@swRd", the 6-character password will be much more difficult to guess or break.
Enabling this policy enforces some baseline complexity requirements to force users to incorporate different elements into their passwords which will make them harder to guess or crack.
The complexity requirements are:
You can use other password policies in combination with Password Must Meet Complexity Requirements to make passwords even more secure.
Double-click on the Store Passwords Using Reversible Encryption policy to open the policy configuration screen.
Enabling this policy actually makes the overall password security less secure. Using reversible encryption is essentially the same as storing the passwords in plain-text, or not using any encryption at all.
Some systems or applications may require the ability to double-check or verify the user's password to function, in which case this policy may need to be enabled for those applications to work.
This policy should not be enabled unless it is absolutely necessary.
Click on File | Exit to shut down the Local Security Settings console.
You can re-open the Local Security Policy to review the settings and make sure that the settings you chose were properly retained.
You should then test out the settings. Either using your own account, or by creating a test account, try to assign passwords that violate the requirements you just set. You may need to test it a few times to try out the various policy settings for minimum length, password history, password complexity, etc.
Open the Microsoft Windows Local Security Policy console and navigate to the Password Policies following these steps:
- Click on Start
- Click on Control Panel
- Click on Administrative Tools
- Click on Local Security Policy
- Click on the plus-sign in the left pane to open Account Policies
- Click on Password Policy
Enforce Password History
Double-click on the Enforce password history policy to open the policy configuration screen.
This setting ensures that a given password can not just be re-used. Set this policy to force a wider variety of passwords and make sure that the same password is not re-used over and over.
You can assign any number between 0 and 24. Setting the policy at 0 means that password history is not enforced. Any other number assigns the number of passwords that will be saved.
Maximum Password Age
Double-click on the Maximum Password Age policy to open the policy configuration screen.
This setting basically sets an expiration date for user passwords. The policy can be set for anything between 0 and 42 days. Setting the policy at 0 is equivalent to setting the passwords to never expire.
It is recommended that this policy be set for 30 or less to ensure user passwords are changed on at least a monthly basis.
Minimum Password Age
Double-click on the Minimum Password Age policy to open the policy configuration screen.
This policy establishes a minimum number of days that must pass before the password is allowed to be changed again. This policy, in combination with the Enforce password hisory policy, can be used to make sure that users don't just keep resetting their password until they can use the same one again. If the Enforce password history policy is enabled, this policy should be set for at least 3 days.
The Minimum Password Age can never be higher than the Maximum Password Age. If the Maximum Password Age is disabled, or set to 0, the Minimum Password Age can be set for any number between 0 and 998 days.
Minimum Password Length
Double-click on the Minimum Password Length policy to open the policy configuration screen.
While it is not 100% true, generally speaking the longer a password is, the harder it is for a password cracking tool to figure it out. Longer passwords have exponentially more possible combinations, so they are harder to break and, therefore, more secure.
With this policy setting, you can assign a minimum number of characters for account passwords.
The number can be anything from 0 to 14. It is generally recommended that passwords be a minimum of 7 or 8 characters to make them sufficiently secure.
Password Must Meet Complexity Requirements
Double-click on the Password Must Meet Complexity Requirements policy to open the policy configuration screen.
Having a password of 8 characters is generally more secure than a password of 6 characters. However, if the 8-character password is "password" and the 6-character password is "p@swRd", the 6-character password will be much more difficult to guess or break.
Enabling this policy enforces some baseline complexity requirements to force users to incorporate different elements into their passwords which will make them harder to guess or crack.
The complexity requirements are:
- Password must not contain significant portions of the user's account name or full name
- Password must be at least six characters in length
- Password must contain characters from at least three of the following categories:
- Uppercase characters (A through Z)
- Lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Special characters (for example, &, $, #, %)
You can use other password policies in combination with Password Must Meet Complexity Requirements to make passwords even more secure.
Double-click on the Store Passwords Using Reversible Encryption policy to open the policy configuration screen.
Enabling this policy actually makes the overall password security less secure. Using reversible encryption is essentially the same as storing the passwords in plain-text, or not using any encryption at all.
Some systems or applications may require the ability to double-check or verify the user's password to function, in which case this policy may need to be enabled for those applications to work.
This policy should not be enabled unless it is absolutely necessary.
Click on File | Exit to shut down the Local Security Settings console.
You can re-open the Local Security Policy to review the settings and make sure that the settings you chose were properly retained.
You should then test out the settings. Either using your own account, or by creating a test account, try to assign passwords that violate the requirements you just set. You may need to test it a few times to try out the various policy settings for minimum length, password history, password complexity, etc.
