Windows default password complexity

Consider implementing a requirement in your organization to use ALT characters in the range from through as part of all administrator passwords. ALT characters outside of that range can represent standard alphanumeric characters that do not add more complexity to the password. Passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and meet complexity requirements.

The following table lists the actual and effective default policy values. Default values are also listed on the policy's property page. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Passwords that contain only alphanumeric characters are easy to discover with several publicly available tools. Configure the Passwords must meet complexity requirements policy setting to Enabled and advise users to use a variety of characters in their passwords.

When combined with a Minimum password length of 8, this policy setting ensures that the number of different possibilities for a single password is so great that it's difficult but possible for a brute force attack to succeed.

If the Minimum password length policy setting is increased, the average amount of time necessary for a successful attack also increases. If the default configuration for password complexity is kept, more Help Desk calls for locked-out accounts could occur because users might not be used to passwords that contain non-alphabetical characters, or they might have problems entering passwords that contain accented characters or symbols on keyboards with different layouts.

However, all users should be able to follow the complexity requirement with minimal difficulty. If your organization has more stringent security requirements, you can create a custom version of the Passfilt.

For example, a custom password filter might require the use of non-upper-row symbols. Upper-row symbols are those symbols that require you to press and hold the SHIFT key and then press any of the keys on the number row of the keyboard, from 1 through 9 and 0. A custom password filter might also perform a dictionary check to verify that the proposed password doesn't contain common dictionary words or fragments.

However, such stringent password requirements might result in more Help Desk requests. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the — range. These passwords help prevent the compromise of user accounts and administrative accounts by unauthorized users who use manual methods or automated tools to guess weak passwords. Strong passwords that are changed regularly reduce the likelihood of a successful password attack.

This feature provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. Fine-grained password policies apply only to user objects or inetOrgPerson objects if they are used instead of user objects and global security groups. To apply a fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy.

You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.

Fine-grained password policies include attributes for all the settings that can be defined in the default domain policy except Kerberos settings in addition to account lockout settings. When you specify a fine-grained password policy, you must specify all of these settings. By default, only members of the Domain Admins group can set fine-grained password policies.

However, you can also delegate the ability to set these policies to other users. The domain must be running at least Windows Server R2 or Windows Server to use fine-grained password policies. Minimum OS version : Enter the minimum allowed version in the major.

To get the correct value, open a command prompt, and type ver. The ver command returns the version in the following format:. When a device has an earlier version than the OS version you enter, it's reported as noncompliant.

A link with information on how to upgrade is shown. The end user can choose to upgrade their device. After they upgrade, they can access company resources. Maximum OS version : Enter the maximum allowed version, in the major.

When a device is using an OS version later than the version entered, access to organization resources is blocked. The end user is asked to contact their IT administrator. The device can't access organization resources until the rule is changed to allow the OS version. Minimum OS required for mobile devices : Enter the minimum allowed version, in the major. When a device has an earlier version that the OS version you enter, it's reported as noncompliant.

Maximum OS required for mobile devices : Enter the maximum allowed version, in the major. Valid operating system builds : Specify a list of minimum and maximum operating system builds.

Valid operating system builds provides additional flexibility when compared against minimum and maximum OS versions. Consider a scenario where minimum OS version is set to This configuration can allow a Windows 10 device that doesn't have recent cumulative updates installed to be identified as compliant. Minimum and maximum OS versions might be suitable if you have standardized on a single Windows 10 release, but might not address your requirements if you need to use multiple builds, each with specific patch levels.

In such a case, consider leveraging valid operating system builds instead, which allows multiple builds to be specified as per the following example. Example : The following table is an example of a range for the acceptable operating systems versions for different Windows 10 releases.

In this example, three different Feature Updates have been allowed , and Specifically, only those versions of Windows and which have applied cumulative updates from June to September will be considered to be compliant. This is sample data only. The table includes a first column that includes any text you want to describe the entry, followed by the minimum and maximum OS version for that entry. The second and third columns must adhere to valid OS build versions in the major.

After you define one or more entries, you can Export the list as a comma-separated values CSV file. Intune-only devices return a not available status. The Alphanumeric password policies can be complex. We encourage administrators to read the CSPs for more information:. Minimum password length : Enter the minimum number of digits or characters that the password must have.