Password policies in Windows

To access the password policy in Windows just go to Start and type in the search box secpol.msc. Click on secpol and you’ll be presented with the security policy.

Go to Account Policies, then click on Password Policy.

The options, explained:

  • History – how many passwords will Windows store (you won’t be able to reuse these passwords)
  • Complexity requirements – if enabled, the Windows complexity requirement states that passwords should be at least 6 characters long, must not contain the username, have at least 3 different character types ([a-z][A-Z][0-9][special characters])
  • Minimum length – this overrides the previous length setting
  • Store passwords using reversible encryption – self explanatory; note that if the key used for encryption is lost, the password can be retreived
  • Maximum age – how long (in days) until the user is forced to change the password
  • Minimum age – very interesting option! If left to 0 you can change the password as many times as you like in one day. The problem is in conjunction with History. If, for example, History is set to 5, a user can change 6 passwords in one day and reuse the original password.

More information on: