Passwords are always a frustrating catch-22 for any organization. Users would prefer to use simple Windows passwords that are easy to remember and type, but you want those passwords to be strong and complex as a way to protect your users and business. If you use Group Policy at your company, you can at least set certain password policies to ensure a minimum level of security. Here’s how. (The following policies can be applied to Windows 7, 8.1, and 10 clients.)
1. Open your Group Policy editor. You may want to test this out on your current computer initially by using the local Group policy editor. You can then segue to your domain’s Group Policy console when it’s time to create and deploy the settings for everyone.
2. At the search field, type gpedit.msc.
3. At the Local Group Policy editor, navigate to the following setting: Computer Configuration | Windows Settings | Security Settings | Account Policies | Password Policy. You’ll find the specific policies that you can set. Let’s review each one.
Enforce password history. This policy restricts users from creating passwords they’ve already used. The purpose is to ensure any previous password that potentially may have been leaked or stolen is not reused. If you enable password history, you can set a specific number of previous passwords that cannot be reused, anywhere from 1 to 24 (Figure A).
Maximum password age. This policy forces users to change their passwords on a regular basis by expiring them after a certain period of time. The default is 42 days, but you can set this to anywhere from 1 day (not advisable!) to 999 days (Figure B).
Though the password expiration policy is one that many organizations use, you may want to think twice about adopting it. Remember that your users don’t like passwords, and forcing them to have to create and remember a new password every few months is yet another burden that may not be necessary or effective. Even Microsoft has come out against this policy, stating that it wants to remove it as a baseline setting in the next version of Windows, specifically Windows 10 and Windows Server 1903, due out in late May.
As Microsoft has argued, the main purpose of password expiration is to ensure that a stolen or hacked password can no longer be used. But if a password has never been stolen, why force users to change it? And if you know a certain password has been stolen, you would change it immediately rather than wait until it expires. Your efforts are better spent configuring and enabling other password policies.
Minimum password age. This policy prevents a user from changing a password too quickly after creating a new one. In some ways, this is a follow-up to the password history setting. The goal is to prevent users from cycling through all their old passwords until they find one allowed by the policy. It’s also designed to thwart hackers who may obtain an existing password and then reset it to one of their choosing. You can set it so that the password can be changed after anywhere from 1 day to 998 days (Figure C).
Minimum password length: This policy specifies the minimum number of characters required for a Windows password. You can set the length to anywhere from 1 to 20 characters (Figure D). The longer the password, the more difficult it is for a hacker to guess it through brute force attacks and other means. Many experts recommend a minimum password length of 12 characters, but remember to factor in your other password policies and methods when choosing an appropriate password length for your users.
Password must mean complexity requirements. This policy determines what types of characters are allowed and required for your user passwords (Figure E). If enabled, user passwords must:
- Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters.
- Be at least six characters in length.
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, !, $, #, %)
When setting this policy in conjunction with the minimum password length, you want to aim for the right balance between security and ease of use. A complex Windows password offers greater protection, but your users may be challenged to remember it along with all the other passwords they likely use. If you do establish a minimum password length and password complexity, you should provide help or tips for your users on how to create a secure password that they can more easily remember and use.
Store passwords using reversible encryption. This policy stores strong passwords using reversible encryption, an option that may be needed for applications that require knowledge of user passwords for authentication. However, this leaves your passwords more vulnerable, so you’ll want to keep this policy disabled unless absolutely necessary (Figure F).
These are the core password policies, though you will find other password-related settings in Group Policy, including the ones for Account Lockout Policy and those for Security Options under Local Policies.