Operating system security

How to configure password policies in Windows 10

Satyam Singh
July 29, 2020 by
Satyam Singh

A password is one of the common methods to authenticate user identity. Windows OS comes with various authentication options like PIN, password, fingerprint and token, but the feature used most often is still the password. 

In this article, we will look into how to configure password policies in Windows 10. For a standalone computer, the security policies can be configured using local security policy editor or secpol.msc

Learn Windows 10 Host Security

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.

Type “secpol” in the Windows 10 search bar and click on the resulting applet shown.

Click on the Account Policies setting, followed by the Password Policy option.

Password Policy options.

  • Enforce password history: This allows the user to define the number of unique passwords allowed per user before reusing the old password. For example, if the value is set to 5, the user can reuse the first password only after 5 unique password changes. By default, the value is not configured. The allowed value ranges from 0 to 24.
  • Maximum password age: Allows the user to set the password duration (in days) after which the user is forced to change the password. For example, if the value is set to 30, the user will be prompted to change the password on the thirty-first day. By default, the value is not configured. The allowed value ranges from 0 to 999. If the value is set to 0, that means the password will never expire.
  • Minimum password age: Allows the user to set the duration (in days) that a password must be used before the user changes it. For example, if the value is set to 5, the user can only change the password after 5 days. By default, the value is not configured. The allowed value ranges from 1 to 998. If the value is set to 0, that means the password can be changed immediately.
  • Minimum password length: Allows the user to set the minimum length of the password. For example, if the value is set to 8, the minimum length of the password would be 8 characters and no less than that. By default, the value is not configured. The allowed value ranges from 1 to 14. If the value is set to 0, that means the password is not required.
  • Password must meet complexity requirement: If this policy is enabled, passwords must meet the following minimum requirements:

    • Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
    • Be at least six characters in length
    • Contain characters from three of the following four categories:
      • English uppercase characters (A through Z)
      • English lowercase characters (a through z)
      • Base 10 digits (0 through 9)
      • Non-alphabetic characters (for example, !, $, #, %)
    • Complexity requirements are enforced when passwords are changed or created. By default, it is set to disable.
  • Store passwords using reversible encryption: This allows storing encrypted passwords in a way that it can be decrypted. This is an unsafe setting and must be disabled.

For additional security, we can configure Account Lockout Policy:

  • Account lockout threshold: The number of failed login attempts allowed before locking the account. For example, if set to 5, the account will be locked after 5 invalid password attempts. By default, the value is not configured. The allowed value ranges from 1 to 999. If the value is set to 0, that means the account will never be locked.
  • Account lockout duration: The duration (in minutes) for which the account will be locked after triggering the account lockout threshold. For example, if set to 5, the account will be locked for 5 minutes. By default, the value is not configured. The allowed value ranges from 1 to 99999 minutes. If the value is set to 0, that means the account will be locked out until an administrator user unlocks it.
  • Reset account lockout counter after: The number of minutes after which the account lockout threshold counter will be reset. For example, if set to 5, the account lockout threshold will reset to 0 after 5 minutes. By default, the value is not configured. The allowed value ranges from 1 to 99999. If the value is set to 0, that means the account will never be locked.

The settings shown in the article can be set using an elevated command prompt also. For example:

  • Set maximum password age to 60 days: net accounts /maxpwage:60
  • Set minimum password age to 2 days: net accounts /minpwage:2
  • Set minimum password length to 8 characters: net accounts /minpwlen:8

  • Set account lockout duration to 30 minutes: net accounts /lockoutduration:30
  • Set account lockout threshold to 5 bad logon attempts: net accounts /lockoutthreshold:5
  • Set reset account lockout counter after to 10 minutes: net accounts /lockoutwindow:10

Conclusion

A secure infrastructure requires the user to use strong passwords. The password should be at least 8 characters long with a combination of letters, special character and numbers. A strong password must be changed regularly to avoid password-guessing attacks.

Learn Windows 10 Host Security

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.

Source

Password Policy, Microsoft

Satyam Singh
Satyam Singh

Satyam is an Informational Security Professional, currently working as a Tech Specialist and Team Lead at Paladion Networks. He has 5.5 years of practical experience in this domain, with the main area of interest in Web and Mobile Application, Network Penetration Testing, Vulnerability Assessment and Infrastructure Security.