Password Security Policy
This will be the first in a series of articles covering the many policies that may be configured in Windows Vista. Have an area you'd like to see covered? Need more details? Let me know!
Local Security Policy > Security Settings > Account Policies > Password Policy
Enforce password history
Specifies the number of unique new passwords that must be associated with a user account before an old password can be reused. Valid range is between 0 and 24. This allows control to ensure that old passwords are not continually reused.
In Windows Vista Local security settings, this is defaulted to 1 but keep in mind that computers in a domain follow the configuration of their domain controllers by default. The default is 24 on domain controllers and 0 on stand-alone servers.
To ensure this policy is effective, you should also set the “minimum password age” (see below) so that users cannot keep changing their password until the one they just used falls out of the password history threshold specified here.
Maximum password age
This value represents how many days a password may be used before it expires and must be changed. This value defaults to 42 and has a valid range of 1 to 999 (and you can also set it to never expire by entering 0). Obviously if you also set the “minimum password age”, it must be less than that of this maximum password age value (which can be between 0 and 998). It is recommended that you set passwords to expire every 30 to 90 days.
Minimum password age
This security setting determines the number of days that a password must be used before the user can change it. The valid range is between 1 and 998 days (and you can also allow changes immediately by entering 0). The default is 0 (allow changes immediately).
This value must be less than the Maximum password age; unless of course the maximum password age is set to 0 (never expire). Remember, for the password history setting to be effective, you must enter a minimum password age of greater than 0.
Important: The default setting is to allow changes immediately. This is in order to support a situation where an administrator can specify a password for a user and then require the user to change the password at next logon. When the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.
Minimum password length
As you’d expect, this security setting specifies the least number of characters that a password contain. Valid range is between 1 and 14 characters (or you can bypass the minimum length requirement by entering 0.) The default local setting is 0 (no minimum is enforced). On a domain controller the default minimum is 7, on stand-along servers the default is 0. When a computer is a member of a domain, its default setting is that of its domain controller.
Password must meet complexity requirements
This security setting determines whether passwords must meet complexity requirements. When enabled, the following minimum requirements for a password must be met:
It cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters
It must be at least six characters in length
It must contain characters from three of the following four categories:
English uppercase characters (A to Z)
English lowercase characters (a to z)
Base 10 digits (0 to 9)
Non-alphabetic characters (such as ?, !, $, #, %)
This is disabled in Windows Vista by default. On domain controllers the default is for it to be enabled, on stand-alone servers the default is for this setting to remain disabled. Again, if the computer is a member of a domain, its default will be based on that of the domain controller’s configuration.
Store passwords using reversible encryption
This setting allows you to specify if Vista should store its passwords using reversible encryption. No surprise here, but this settings is disabled by default.
This option is provided in order to offer support for applications that use protocols that require knowledge of the user's password for authentication purposes. Keep in mind that choosing to do this is essentially the same as storing plain text versions of the passwords. This policy should never be enabled unless application requirements outweigh the need to protect password information.
How do you know if you need it? This is likely to come to light if you are using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS).
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
The above solution only works in Ultimate or Business, Home versions do not include the Local Security Policy ..... you can however change these values using 'net accounts' or 'net user'
For instance, to stop Vista Home passwords from expiring every 42 days. From All Programs --> Accessories, right click on 'Command Prompt' and then 'Run as Administrator', then at the command line type:
net accounts /maxpwage:unlimited
This will set the password to never expire
net accounts /maxpwage:90
To set it to expire after 90 days
Type "net accounts /?" to see other commands and just "net accounts" to see current status
Posted by: Nigel | June 27, 2007 1:16 AM
Very good Nigel, Thanks for taking the time to share!
Posted by: Bob | June 28, 2007 10:14 PM
I can't believe how hard this answer was to find. Thanks, Nigel!!
Posted by: Mark | August 5, 2007 8:14 PM