Password security is one of the most important aspects of protecting your network and data from unauthorized access. Weak passwords can be easily guessed or cracked by attackers, compromising your systems and accounts. Therefore, it is essential to enforce strong password policies that require users to create complex and unique passwords that are hard to break. There has been a shift from the recommendation of shorter passwords that replace vowels with numbers and symbols to longer passwords that consist of phrases that are easy for the end users to remember. As such, a maximum configurable value of 14 for the minimum password length in Windows Server environment may be too short.
In this blog post, I will show you how to set up environments consisting of Windows Server 2022, Windows 10, and Windows 11 to enforce all users to set account passwords to be more than 14 characters long using a standard Group Policy Object (GPO). This will use the RelaxMinimumPasswordLengthLimits, MinimumPasswordLengthAudit, and MinimumPasswordLength Group Policy settings.
Why 14 Characters?
The default minimum password length in Windows is 8 characters, which is not enough to withstand brute force attacks that try every possible combination of characters. According to Microsoft, a password with 8 characters can be cracked in less than 2.5 hours, while a password with 14 characters can be substantially longer.
In Windows Server environments, the longstanding maximum value that can be set for the MinimumPasswordLength Group Policy settings is 14. Outside of using a Fine-grained Password Policy assigned to security groups, there is no way to require passwords longer than 14 characters in Windows.
To overcome this limitation, you need to enable the RelaxMinimumPasswordLengthLimits policy setting, which allows you to set the minimum password length to any value from 1 to 255. This setting works together with the MinimumPasswordLengthAudit and MinimumPasswordLength settings, which let you specify the minimum password length and audit the password changes that do not meet the requirement.
How to Configure the Password Policy Settings
To change the password policy settings in Windows Server 2022, you can follow these steps:
- Open the Group Policy Management Console (GPMC).
- Expand the Domains folder, choose the domain whose policy you want to access and choose Group Policy Objects.
- Right-click the Default Domain Policy GPO and click Edit.
- Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy.
- Change “Relax minimum password length limits” to Enabled
- Change “Minimum password length audit” to the number of characters you want the minimum password length to be.
- Change “Minimum password length” to to the number of characters you want the minimum password length to be.
For more information on this Microsoft has this support article: Minimum Password Length auditing and enforcement on certain versions of Windows – Microsoft Support
Configuration Recommendations to Force Password Length Longer Than 14 Characters
The following gives more detail for each setting that you need to configure to enforce strong passwords in your environment:
Name: RelaxMinimumPasswordLengthLimits
Description: Allows you to set the minimum password length to any value from 1 to 255.
Value to require passwords greater than 14 characters: Enabled
Name: MinimumPasswordLengthAudit
Description: Specifies the minimum number of characters that a password must contain. If a user tries to change their password to a value that is shorter than this number, the system will generate a warning event in the Security log.
Value to require passwords greater than 14 characters: 15 or higher
Name: MinimumPasswordLength
Description: Specifies the minimum number of characters that a password must contain. If a user tries to change their password to a value that is shorter than this number, the system will reject the change and display an error message.
Value to require passwords greater than 14 characters: 15 or higher
Other Settings
In addition to the above, here is more detail on the remaining settings:
Name: Password must meet complexity requirements
Description: Determines whether passwords must meet a series of strong-password guidelines, such as containing characters from different categories and not including the username or full name.
Name: Enforce password history
Description: Determines the number of unique new passwords that must be associated with a user account before an old password can be reused.
Name: Maximum password age
Description: Determines the period of time (in days) that a password can be used before the system requires the user to change it.
Name: Minimum password age
Description: Determines the period of time (in days) that a password must be used before the user can change it.
Each of those settings should be thoughtfully considered to be a good mix of security and user acceptance.
By enforcing strong password policies, you can enhance the security of your network and data and comply with the best practices and standards.
Have any questions about how to use the Group Policy Object to enforce users to use long passwords over 14 characters in Windows? Please feel free to reach out to our experts at any time!