Best Practices for Password Policy

I’ve seen a lot of different companies send out a secure password when a user starts out, but when the user changes their password, they may make it something less secure.  That’s why I thought I’d go over some of the configurable Group Policy Settings with some of the best practices for password settings.  I feel like I need to mention it, because so many out there ignore the best practices and put themselves at risk of compromise.  Unfortunately the biggest offender of this are small businesses, mostly because they don’t know or their IT providers just don’t care enough.  If you don’t currently have these settings in place, then seriously think about implementing these policies.  I leave a lot of the configurations up to you, but make suggestions for how much security means to your business, and what your business can handle.

  • Enforce Password HistoryOne of the easiest things to do is the set the password history, this setting will keep your users from reusing a small set of passwords.  In Windows Server 2008 RC2 the server has the ability to store up to 24 passwords.  Settings are applied per user and can be set from 0 (disabled) to 24 and it’ll make sure the user can’t reuse the same password.  I recommend that you use this feature with one of the password age settings to make sure a user doesn’t game the system by changing the password several times in one day, so they can maintain the same password.
  • Maximum Password Age At some point you want your users to change their password, and that’s where this settings comes in.  This setting determines how long users can keep a password before they are forced to change it. Where security is a concern, good values are 30, 60, or 90 days. Where security is less important, good values are 120, 150, or 180 days. Windows Server 2008 R2 will notify users when the password expiration date is approaching. When the expiration date is less than 30 days remaining, users see a warning when they log on that they have to change their password within the remaining days.
  • Minimum Password Age This setting make a minimal time before a user is allowed to change their password.  As I mentioned in the first point, you don’t want users changing their password several times in the same day, so you change this setting and it makes a minimal password age before allowing the user to change the password again.  Reasonable settings are from three to seven days. In this way you make sure that users are less inclined to switch back to an old password but are able to change their passwords in a reasonable amount of time if they want to.
  • Minimum Password LengthIt is always recommended that you set a minimal password length for an account.  You want to make sure that you change the default setting on the server as it might allow users to set blank passwords.  On average I recommend that you set it to at least 8 characters, this makes it harder for a password to be crack.  Though if you want more secure passwords, I recommend at least 10 characters passwords, they tend to be more annoying to type, but limit your chances of password cracking.
  • Password must meet complexity requirements This settings forces the following restrictions on passwords used in your networks.
  • Passwords cannot contain the user’s account name or parts of the user’s full name that exceed two consecutive characters.
  • Passwords must be at least six characters in length.
  • Passwords must contain characters from three of the following four categories:
  • uppercase characters (A through Z).
  • lowercase characters (a through z).
  • 0 through 9
  • Non-alphabetic characters (for example, !, $, #, %).

If you use all these settings, then you will make sure that your users make the correct choices when their passwords are expiring.  Helping keep the passwords complex will minimize the chance that your users’ passwords will be cracked or guessed.  This isn’t the only steps you should do to keep your network safe, but it is one of the easiest and more basic steps.


  1. Hey Jim

    I am CIO and my board has asked me for some kind of documentation of best practice for password. A co-worker has shown me your interesting website.
    We have a password policy which means that you must change your password every 60’th day.
    Usualy i would just say that best practice is either 30, 60 or 90 days as you recommend. But do you know any “public IT-authority” which recommends this?

  2. Torben,
    Unfortunantly I while writing this article, I didn’t come across a public athority that gave these guidlines in such certin terms, but if I do find one, I’ll be sure to post it for you.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.