Operating system security
How to configure password policies in Windows 10
A password is one of the common methods to authenticate user identity. Windows OS comes with various authentication options like PIN, password, fingerprint and token, but the feature used most often is still the password.
In this article, we will look into how to configure password policies in Windows 10. For a standalone computer, the security policies can be configured using local security policy editor or secpol.msc
Type “secpol” in the Windows 10 search bar and click on the resulting applet shown.
Click on the Account Policies setting, followed by the Password Policy option.
Password Policy options.
- Enforce password history: This allows the user to define the number of unique passwords allowed per user before reusing the old password. For example, if the value is set to 5, the user can reuse the first password only after 5 unique password changes. By default, the value is not configured. The allowed value ranges from 0 to 24.
- Maximum password age: Allows the user to set the password duration (in days) after which the user is forced to change the password. For example, if the value is set to 30, the user will be prompted to change the password on the thirty-first day. By default, the value is not configured. The allowed value ranges from 0 to 999. If the value is set to 0, that means the password will never expire.
- Minimum password age: Allows the user to set the duration (in days) that a password must be used before the user changes it. For example, if the value is set to 5, the user can only change the password after 5 days. By default, the value is not configured. The allowed value ranges from 1 to 998. If the value is set to 0, that means the password can be changed immediately.
- Minimum password length: Allows the user to set the minimum length of the password. For example, if the value is set to 8, the minimum length of the password would be 8 characters and no less than that. By default, the value is not configured. The allowed value ranges from 1 to 14. If the value is set to 0, that means the password is not required.
- Password must meet complexity requirement: If this policy is enabled, passwords must meet the following minimum requirements:
- Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
- Be at least six characters in length
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, !, $, #, %)
- Complexity requirements are enforced when passwords are changed or created. By default, it is set to disable.
- Store passwords using reversible encryption: This allows storing encrypted passwords in a way that it can be decrypted. This is an unsafe setting and must be disabled.
For additional security, we can configure Account Lockout Policy:
Account lockout threshold: The number of failed login attempts allowed before locking the account. For example, if set to 5, the account will be locked after 5 invalid password attempts. By default, the value is not configured. The allowed value ranges from 1 to 999. If the value is set to 0, that means the account will never be locked.- Account lockout duration: The duration (in minutes) for which the account will be locked after triggering the account lockout threshold. For example, if set to 5, the account will be locked for 5 minutes. By default, the value is not configured. The allowed value ranges from 1 to 99999 minutes. If the value is set to 0, that means the account will be locked out until an administrator user unlocks it.
- Reset account lockout counter after: The number of minutes after which the account lockout threshold counter will be reset. For example, if set to 5, the account lockout threshold will reset to 0 after 5 minutes. By default, the value is not configured. The allowed value ranges from 1 to 99999. If the value is set to 0, that means the account will never be locked.
The settings shown in the article can be set using an elevated command prompt also. For example:
- Set maximum password age to 60 days: net accounts /maxpwage:60
- Set minimum password age to 2 days: net accounts /minpwage:2
- Set minimum password length to 8 characters: net accounts /minpwlen:8
- Set account lockout duration to 30 minutes: net accounts /lockoutduration:30
- Set account lockout threshold to 5 bad logon attempts: net accounts /lockoutthreshold:5
- Set reset account lockout counter after to 10 minutes: net accounts /lockoutwindow:10
Conclusion
A secure infrastructure requires the user to use strong passwords. The password should be at least 8 characters long with a combination of letters, special character and numbers. A strong password must be changed regularly to avoid password-guessing attacks.
Source
Password Policy, Microsoft
Learn Windows 10 Host Security
See how your organization can benefit by protecting Windows computers from malware, wireless hacking, open firewall ports and more. What you'll learn:- Authentication mechanisms
- Hardening techniques
- Backup and recovery
- Data security
- And more
In this Series
- How to configure password policies in Windows 10
- Comparing Linux+ and RHCSA/RHCE operating system security certifications
- Android security: Everything you need to know [Updated 2021]
- Application sideloading in Windows 10
- Web Browser Security in Windows 10
- How to use Local Group Policy to secure Windows 10
- How to use Microsoft DirectAccess
- How to protect a Windows 10 host against malware
- CA Installation and Use in Windows 10
- Certificates overview and use in Windows 10
- How to Use Windows 10 Action Center and Security & Maintenance App for Hardening
- Data Security in Windows 10: NTFS Permissions (Standard)
- 6 windows event log IDs to monitor now
- How to audit Windows 10 security logs
- How to audit Windows 10 system logs
- App isolation in Windows 10
- Windows Supported wireless encryption types
- How to use Assigned Access in Windows 10
- Data execution prevention (DEP) in Windows 10
- How to use Windows 10 quick recovery options
- How to use Disk Quotas in Windows 10
- Data Security in Windows 10
- How to use AppLocker in Windows 10
- How to configure internet options for local group policy
- How to configure Windows 10 firewall
- Windows 10 security features
- How To Use Microsoft Edge Security Features
- How to use BitLocker in Windows 10 (with or without TPM)
- Encrypted file system (EFS) in windows 10
- Share permissions in Windows 10
- How to audit windows 10 application logs
- Understanding Windows Services
- Windows 10 Auditing Features
- How to use Protected Folders in Windows 10
- How to configure VPN in Windows 10
- How to configure UAC in Windows 10
- Domain vs workgroup accounts in Windows 10
- Bluetooth security in Windows 10
- Single Sign-On in Windows 10
- Connecting to secure wireless networks in Windows 10
- MAC filtering in Windows 10
- Admin vs non-admin accounts in Windows 10
- Types of user accounts in Windows 10 (local, domain, Microsoft)
- How to use Windows Recovery Environment
- How to use Windows Backup and Restore Utility
- How to use Microsoft passport in Windows 10
- Driver Security in Windows 10
- How to use Credential Manager in Windows 10
- How to configure Picture Passwords and PINs in Windows 10
- How to use credential guard in Windows 10
- Application Management in Windows 10
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Operating system security
Comparing Linux+ and RHCSA/RHCE operating system security certifications
Operating system security
Android security: Everything you need to know [Updated 2021]
Operating system security
Operating system security