Plan password complexity settings for Office 2013

 

Applies to: Office 365 ProPlus

Summary  Explains how to use the Office 2013 password settings to enforce password requirements.

Audience: IT Professionals

The Encrypt with Password feature in Excel 2013, PowerPoint 2013, and Word 2013 contains settings that enable you to enforce strong passwords, such as password length and complexity rules. By using these settings, you can require Office 2013 applications to enforce local password requirements or the domain-based requirements that are specified in the Password Policy settings in Group Policy.

Important

This article is part of the Roadmap for Office 2013 identity, authentication, and authorization for IT Professionals. Use the roadmap as a starting point for articles, downloads, posters, and videos that help you assess Office 2013 identity.
Are you looking for help about individual Office 2013 applications? You can find this information by searching on Office.com.

In this article:

  • About planning password length and complexity settings

  • Enforce password length and complexity

  • Related password length and complexity settings

About planning password length and complexity settings

By default, there are no restrictions on password length or password complexity for the Encrypt with Password feature, which means that users can encrypt a document, presentation, or workbook without specifying a password. But, we recommend that organizations change this default setting and enforce password length and complexity to help to make sure that that strong passwords are used with the Encrypt with Password feature.

Many organizations enforce strong passwords for log on and authentication by using domain-based group policies. If this is the case, we recommend that the organization use the same password length and complexity requirements for the Encrypt with Password feature. For more information about strong passwords, including recommendations for determining password length and complexity, see Creating a Strong Password Policy.

Warning

When you establish password policies, you must balance the need for strong security against the need to make the password policy easy for users to implement. If a password is forgotten or an employee leaves an organization without providing the passwords used to save and encrypt the data, the data is inaccessible until the correct password is available to decrypt the data.

Enforce password length and complexity

When you configure the password settings that Office 2013 provides to enforce password length and complexity, you have the option to use the settings that are included with Office 2013 or in combination with the password settings that are available in the domain-based Group Policy object. If you already enforce strong passwords for domain logon and authentication, we recommend that you configure the password length and complexity settings for Office 2013 the same as they are configured for the Password Policy Group Policy Object (GPO) for the domain.

The following password settings are included in Office 2013:

  • Set minimum password length

  • Set password rules level

  • Set password rules domain time-out

You can configure the Office 2013 password settings by using the Office Customization Tool (OCT) or the Office 2013 Administrative Templates for local or domain-based group policies. For information about how to configure security settings in the OCT and the Office 2013 Administrative Templates, see Configure security by using OCT or Group Policy for Office 2013.

The following password settings are available for the Password Policy GPO:

  • Enforce password history

  • Maximum password age

  • Minimum password age

  • Minimum password length

  • Password must meet complexity requirements

  • Store passwords using reversible encryption

You can use Group Policy to configure the domain-based Password Policy settings. For more information, see Group Policy Settings Reference for Windows and Windows Server.

The Set password rules level setting in Office 2013 determines the password complexity requirements and whether the Password Policy Group Policy object for the domain is used.

To enforce password length and complexity for the Encrypt with Password feature, determine the following:

  • The minimum password length that you want to enforce locally.

  • The password rules level.

  • The password time-out value for domain-based password enforcement. This is an optional task. You should consider setting a password time-out if both of the following are true:

    • There is a custom password filter installed on your domain controller

    • Contacting the domain controller takes longer than the default 4 seconds

Determine minimum password length requirement

To enforce password length and complexity, first determine the minimum password length that you want to enforce locally. The Set minimum password length setting lets you do this. When you enable this setting, you can specify a password length between 0 and 255. But, specifying a minimum password length doesn’t enforce password length. To enforce password length or complexity, you must change the Set password rules level setting, which is discussed in the following section.

Warning

When you establish password policies, you must balance the need for strong security against the need to make the password policy easy for users to implement. If a password is forgotten or an employee leaves an organization without providing the passwords used to save and encrypt the data, the data is inaccessible until the correct password is available to decrypt the data.

Determine the password rules level

After you set a minimum password length for local enforcement, you must determine the rules by which password length and complexity are enforced. The Set password rules level setting lets you do this. When you enable this setting, you can select one of the following four levels:

  • No password checks   Password length and complexity isn’t enforced. This is the same as the default configuration.

  • Local length check   Password length is enforced but not password complexity. In addition, password length is enforced only on a local basis according to the password length requirement that is specified in the Set minimum password length setting.

  • Local length and complexity checks   Password length is enforced on a local basis according to the password length requirement that is specified in the Set minimum password length setting. Password complexity is also enforced on a local basis, which means that passwords must contain characters from at least three of the following character sets:

    • Lowercase a–z

    • Uppercase A–Z

    • Digits 0–9

    • Non-alphabetical characters

    This setting works only if you specify a password length of at least six characters in the Set minimum password length setting.

  • Local length, local complexity, and domain policy checks   Password length and complexity is enforced according to the domain-based Password Policy settings that are set in Group Policy. If a computer is offline or can’t contact a domain controller, the local password length and complexity requirements are enforced exactly as they are described for the Local length and complexity checks setting.

If you want to enforce password length and password complexity by using domain-based settings, you must configure Password Policy settings in Group Policy. Domain-based enforcement has several advantages over local enforcement. Some of the advantages include the following:

  • Password length and complexity requirements are the same for log on and authentication as they are for the Encrypt with Password feature.

  • Password length and complexity requirements are enforced the same way throughout the organization.

  • Password length and complexity requirements can be enforced differently according to organizational units, sites, and domains.

To learn more about enforcing password length and complexity by using domain-based Group Policy, see Enforcing strong password usage throughout your organization.

Determine domain time-out value

If you use domain-based Group Policy settings to enforce password length and complexity for the Encrypt with Password feature and there is a custom password filter installed on your domain controller, you might have to configure the Set password rules domain time-out setting. The domain time-out value determines how long an Office 2013 application waits for a response from a domain controller before it uses the local password length and complexity settings for enforcement. You can use the Set password rules domain time-out setting to change the domain time-out value. By default, the time-out value is 4000 millisecond (4 seconds), which means that an Office 2013 application will use local password length and complexity settings for enforcement if a domain controller doesn’t respond within 4000 milliseconds.

Note

The domain time-out value has no effect unless you enable the Set minimum password length setting, enable the Set password rules level setting, and then select the Local length, local complexity, and domain policy checks option.

The following settings are often used when an organization enforces password length and complexity:

  • Cryptographic agility settings   These settings let you specify the cryptographic providers and algorithms that are used to encrypt documents, presentations, and workbooks.

Note

For the latest information about policy settings, refer to the Office 2013 Administrative Template files (ADMX/ADML) and Office Customization Tool TechNet article.

See also

Roadmap for Office 2013 identity, authentication, and authorization
Overview of security in Office 2013
Configure security by using OCT or Group Policy for Office 2013