Share via

password security requirements

Emma 20 Reputation points
2026-04-21T00:52:18.8633333+00:00

What are the security requirements for a Windows password? eg - how many characters, what combination of letters and numbers, which symbols can be used.

Windows for home | Windows 10 | Security and privacy
0 comments

Answer accepted by question author

  1. Q&A Assist
    2026-04-21T00:52:30.78+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Windows password security requirements depend on the policy configured on the device or in the organization, but the built‑in “complexity” rules and strong‑password guidance are as follows.

    Built‑in Windows password complexity (when Passwords must meet complexity requirements is enabled):

    1. Content restrictions
      • The password must not contain:
        • The user’s samAccountName (account name) as a substring (if the name is at least 3 characters).
        • Any full token from the user’s displayName (full name) split on spaces, commas, periods, dashes, underscores, #, or tabs, where the token is 3 or more characters.
    2. Character types required
      • The password must contain characters from at least 3 of these 5 categories:
        1. Uppercase letters of European languages (A–Z, including diacritics, Greek, Cyrillic).
        2. Lowercase letters of European languages (a–z, including diacritics, Greek, Cyrillic).
        3. Base‑10 digits: 0–9.
        4. Non‑alphanumeric characters (symbols), for example: $, !, %, ^, (), {}, [], ;, :, <, >, ?.
        5. Any other Unicode alphabetic character (for example, characters from Asian languages).
      • A single character can only count toward one category.
    3. Length
      • The minimum length is controlled by local or domain password policy (for example, via Local Security Policy → Account Policy → Password Policy).
      • When only complexity is considered, Windows’ strong‑password guidance is:
        • At least 7 characters for a “strong” password in older server guidance.
        • For modern best practice, at least 12 characters, and 14 or more is better.
    4. Symbols that can be used
      • Any non‑alphanumeric character supported by Windows can be used, including common symbols such as:
        • ! @ # $ % ^ & * ( ) - _ = + [ ] { } ; : ' " , . < > / ? \\
      • Extended ANSI and Unicode characters can also be used, but they should be tested with all applications to ensure compatibility.

    Strong password recommendations for Windows 10/11 home use:

    • Use a password that is:
      1. At least 12 characters long (14+ preferred).
      2. A mix of uppercase, lowercase, numbers, and symbols.
      3. Not a dictionary word or a name (person, character, product, organization).
      4. Significantly different from previous passwords.
      5. Easy to remember but hard to guess, for example a phrase like 6MonkeysRLooking^.

    These rules can be tightened or relaxed by an administrator (for example, in a corporate domain), but the above describes the default Windows complexity behavior and Microsoft’s recommended strength for home users.

    References:

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.