Passwords must meet complexity requirements

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

Password must meet complexity requirements

Description

This security setting determines whether passwords must meet complexity requirements. Complexity requirements are enforced when passwords are changed or created.

If this policy is enabled, passwords must meet the following minimum requirements when they are changed or created:

  • Passwords must not contain the user's entire samAccountName (Account Name) value or entire displayName (Full Name) value. Both checks are not case sensitive:

    • The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped.

    • The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are less than three characters in length are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin," "M," and "Hagens." Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.

  • Passwords must contain characters from three of the following five categories:

    • Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)

    • Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)

    • Base 10 digits (0 through 9)

    • Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/

    • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.

Note

A given character can satisfy only one category. The GetStringTypeW API (https://go.microsoft.com/fwlink/?LinkId=205607) is used to test whether each character in the password is uppercase, lowercase, or alphanumeric.

To create custom password filters, see Password Filters (https://go.microsoft.com/fwlink/?LinkId=205613).

Default:

  • Enabled on domain controllers.

  • Disabled on stand-alone servers.

Note

By default, member computers inherit the password policy configuration from the domain. This password policy configuration is either defined at the domain-level or at any OU that has the member computer within its scope of management. If you define a password policy at an OU by using a GPO and that OU contains computer accounts, the computers that belong to those computer accounts inherit the password policy defined at the OU and apply it to the local users on the server.

Configuring this security setting

You can configure this security setting by opening the appropriate policy and expanding the console tree: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\

For specific instructions about how to configure password policy settings, see Apply or modify password policy.

For more information, see:

Change History

Date Revision

November 15, 2010

The description was revised to be more precise and accurate. The precise attribute names were added and the character categories were updated.

November 30, 2010

The description “Far eastern” was changed to “Asian.”

Oct 1, 2012

The Note about how domain computers obtain password policy was revised.