What should I know about password policies?

Applies To: Windows Storage Server 2008 R2 Essentials

The password policy is a set of rules that define how users create and use passwords. The policy helps to prevent unauthorized access to user data and other information that is stored on the server. The password policy is applied to all user accounts that access the server.

The Windows Storage Server 2008 R2 Essentials password policy consists of two primary elements as follows:

• Password length.  The longer a password is, the more secure it is. Blank passwords are not secure.

• Password complexity.  Complex passwords contain a mixture of uppercase and lowercase letters (a-z, A-Z) base numbers (0-9), and non-alphabetic symbols (such as; !,@,#,_,-). Complex passwords are much less susceptible to unauthorized access. Passwords that contain user names, birth dates, or other personal information do not provide adequate security.

To make it easier to implement a password policy on your computer network, Windows Storage Server 2008 R2 Essentials provides a simple tool that allows you to set or change the password policy to any of the following four pre-defined policy profiles:

• Weak.  Users can specify any password that is not blank.

• Medium.  These passwords must contain at least 5 characters. A complex password is not required.

• Best.  These passwords must contain at least 5 characters, and must include letters, numbers, and symbols.

• Strong.  These passwords must contain at least 7 characters, and must include letters, numbers, and symbols. These passwords are more secure, but may be more difficult for users to remember.

By default, server installation sets the default password policy to the Weak option.

For information about how to change the password policy, see Change the password policy.

For information about how to reset the password for a user account, see Reset the password for a user account.