Harden Windows Login Password Policy in Windows 10/8/7

To protect your computer from unauthorized use, Windows 10/8/7 provides a facility to protect it using a password. A strong password is thus the first line of defense as far as your computers security is concerned.

If you wish to enhance the security of your Windows computer, you can strengthen the Windows Login Password Policy using the built-in  Local Security Policy or Secpol.msc. Nested among its many settings is a useful set of options that will allow you to configure the Password Policy for your computer.

Windows Login Password Policy

To open and use the Local Security Policy open Run, type secpol.msc and hit Enter. In the left pane, click on Account Policies > Password Policy. In the right pane you see settings for configuring the Password Policy.

These are some parameters that you can configure. Double click on each to open their Properties box. From the drop-down menu you can choose and select the desired option. Once you have set them, do not forget to click on Apply/OK.

Enforce Password History

Using this policy, you can ensure that users do not use old passwords again and again after a while. This setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. You can set any value between. The default is 24 on domain controllers and 0 on stand-alone servers.

Maximum password age

You can force users to change their passwords after a particular number of days.  You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. The default is set at 42 days.

Minimum password age

Here you can enforce the minimum period that any password must be used, before it can be changed. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The default is 1 on domain controllers and 0 on stand-alone servers. While this setting may not go towards strengthening your password policy, if you wish to prevent users from changing passwords too frequently, you may set this policy.

Minimum password length

This is an important setting and you may want to enforce it to prevent hack attempts. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. The default is 7 on domain controllers and 0 on stand-alone servers.

You can also choose to Enable two more settings, if you wish. Once you have opened their respective Properties boxes, select Enabled and Apply to enable the policy.

Password must meet complexity requirements

Another important setting you want to use as it will make passwords more complex and therefore difficult to compromise. If this policy is enabled, passwords must meet the following minimum requirements:

  1. Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
  2. Be at least six characters in length Contain characters from three of the following four categories:
  3. English uppercase characters (A through Z)
  4. English lowercase characters (a through z)
  5. Base 10 digits (0 through 9)
  6. Non-alphabetic characters (for example, !, $, #, %)

Store passwords using reversible encryption

This security setting determines whether the operating system stores passwords using reversible encryption. Storing passwords using reversible encryption is essentially the same as storing plain-text versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.

Account Lockout Policy in Windows

To further strengthen the Password Policy, you can also set the lockout durations and thresholds, as this will stop potential hackers in their tracks after a particular number of failed attempts. To configure these settings, in the left pane, click on Account Lockout Policy.

Account lockout threshold for Invalid logins

If you set this policy, you can control the number of invalid logins. The default is 0 but you can set a figure between 0 and 999 failed logon attempts.

Account lockout duration

Using this setting, you can fix the number of minutes a locked-out account remains locked out before automatically becoming unlocked. You can set any figure between 0 minutes and  99,999 minutes. This policy has to set along with Account lockout threshold policy.

Read: Restrict the number of Login attempts in Windows.

Reset account lockout counter after

This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. This policy too has to set along with Account lockout threshold policy.

Stay safe, stay secure!

Aware of AuditPol in Windows? If not, you might want to read about it.

Posted by on , in Category Windows with Tags
Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.