Share via

2.2.1.1 Password Policies

  • Article

This section defines settings that specify various supported password policies. The ABNF for valid keys that represent such policies MUST be as follows.

 Key = "MinimumPasswordAge" / "MaximumPasswordAge" /
       "MinimumPasswordLength" / "PasswordComplexity" / 
       "PasswordHistorySize" / "ClearTextPassword" /
       "RequireLogonToChangePassword"
  
 Value = 1*10DIGIT

The following table provides an explanation for each of the valid key values.

Note All numerical values are decimal unless explicitly specified otherwise or preceded by 0x.

Setting key

Explanation

MaximumPasswordAge

Maximum number of days that a password can be used before the client requires the user to change it. The value MUST be either equal to "-1" or in the range 1 to 999. The value "-1" indicates that a password never expires. If the maximum password age value is not "-1", the minimum password age MUST be less than the maximum password age.

MinimumPasswordAge

Number of days that a password can be used before the client MUST allow the user to change it from the date the password was changed or reset. This value MUST be between 0 and 999. The minimum password age MUST be less than the maximum password age, unless the maximum password age is set to -1.

MinimumPasswordLength

Minimum number of characters that a password for a user account MAY contain. This value MUST be between 0 and 2^16. A value of 0 indicates that no password is required.

PasswordComplexity

Flag that indicates whether the operating system MUST require that passwords meet complexity requirements. If this flag is set, it indicates that passwords MUST meet a specific minimum requirement. This value MUST be between 0 and 2^16. A value of 0 indicates that no password complexity requirements apply. Any other valid value indicates that password complexity requirements apply.

If this policy is enabled, passwords MUST meet the following minimum requirements:

  • MUST NOT contain the user's account name or parts of the user's full name that exceed two consecutive characters.

  • MUST be at least six characters in length.

  • MUST contain characters from three of the following categories:

    • English uppercase characters (A through Z).

    • English lowercase characters (a through z).

    • Base 10 digits (0 through 9).

    • Nonalphanumeric characters (for example, !, $, #, %).

Complexity requirements MUST be enforced when passwords are changed or created.

ClearTextPassword

Flag that indicates whether passwords MUST be stored by using reversible encryption. This value MUST be between 0 and 2^16. A value of 0 indicates that the password is not stored using reversible encryption. Any other valid value indicates that the password is stored with reversible encryption.

Use of this flag is not recommended.

This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords by using reversible encryption is essentially the same as storing plain-text versions of the passwords.

PasswordHistorySize

The number of unique new passwords that are required before an old password can be reused in association with a user account. This value MUST be between 0 and 2^16. A value of 0 indicates that the password history is disabled.

This policy enables administrators to enhance security by ensuring that old passwords are not reused continually.

RequireLogonToChangePassword

Setting is ignored.<2>