July 16, 2008, 5:45 PM — You, as a savvy Windows Vista user, know how to create a strong password, and you can certainly pass along that information to the other people in your home or business, but how can you be sure that they'll take up the strong password gospel?
The truth is you can't, and surveys of password use over the years have been remarkably consistent: most users are lazy and they prefer to use simple passwords that are easy to remember. If the user operates a standalone PC, then it's their funeral. But it's more likely these days that the user is part of a network, and a brain-dead password puts not only that PC at risk, but it puts the entire network at risk.
If it's your network you're worried about, you can take matters into your own hands and set up password policies that ensure your users protect their PCs with strong passwords. There are two policies you can implement:
- Minimum Password Length This policy sets the minimum number of characters for the password. You enter a value that represents the number of characters, and that value can be as high as 14 or as low as 1. (If you use 0, it means no password is required.) A good choice here is 8.
- Password Must Meet Complexity Requirements If you enable this policy, Windows Vista examines each new password and accepts it only if it meets the following criteria: It doesn't contain all or part of the person's username; it's at least six characters long; and it contains characters from three of the following four categories: uppercase letters, lowercase letters, digits (0-9), and nonalphanumeric characters (such as $ and #).
| NOTE |
| If you set the Minimum Password Length policy to a value between 0 and 5, and you enable the Password Must Meet Complexity Requirements policy, the latter policy takes priority and the minimum password length is six characters. If you set the Minimum Password Length policy to a value between 7 and 14, and you enable the Password Must Meet Complexity Requirements policy, the former policy takes priority and Windows uses its value as the minimum password length. |
Follow these steps to implement these policies:
| NOTE |
| These steps require the Local Security Policy Editor, which is only available with Vista Business, Vista Enterprise, and Vista Ultimate. There's no other way to specify password strength, but you can set a minimum password length using Command Prompt, as I discuss below. |
- Log on to the Windows Vista computer you want to work with.
- Select Start, type secpol.msc, press Enter, and then enter your administrator's credentials to continue. The Local Security Policy Editor appears.
- Open the Account Policies branch.
- Click the Password Policy branch.
- Double-click the Minimum Password Age policy to open its property sheet.
- Use the Password Must Be at Least spin box to set the minimum number of characters in any password, and then click OK.
- Double-click the Password Must Meet Complexity Requirements policy.
- Click Enabled and then click OK.
Note that these passwords have no effect on any existing passwords. They only apply when you set a password on a new account, or when you change a password on an existing account.
You can also set the minimum password length at the command prompt, which is great if you're working on a Vista Home or Vista Home Premium machine. Here's how:
- Log on to the Windows Vista computer you want to work with.
- Select Start, type cmd.exe, right-click cmd.exe in the results, click Run as Administrator, and then enter your administrator's credentials to continue. The Administrator: Command Prompt window appears.
- Enter the following command, changing n to the minimum length you want to use:
net accounts /maxpwlen:n
With these policies in effect, if someone tries to change their password to something weak, they see a dialog box warning them that the system's policies require a stronger password.
