How to Enforce Password Length Greater than 14 Characters in Windows 2022, Windows 10, and Windows 11

Reading Time: 5 minutes

Share:

Password security is one of the most important aspects of protecting your network and data from unauthorized access. Weak passwords can be easily guessed or cracked by attackers, compromising your systems and accounts. Therefore, it is essential to enforce strong password policies that require users to create complex and unique passwords that are hard to break. There has been a shift from the recommendation of shorter passwords that replace vowels with numbers and symbols to longer passwords that consist of phrases that are easy for the end users to remember. As such, a maximum configurable value of 14 for the minimum password length in Windows Server environment may be too short.

In this blog post, I will show you how to set up environments consisting of Windows Server 2022, Windows 10, and Windows 11 to enforce all users to set account passwords to be more than 14 characters long using a standard Group Policy Object (GPO). This will use the RelaxMinimumPasswordLengthLimits, MinimumPasswordLengthAudit, and MinimumPasswordLength Group Policy settings.

Why 14 Characters?

The default minimum password length in Windows is 8 characters, which is not enough to withstand brute force attacks that try every possible combination of characters. According to Microsoft, a password with 8 characters can be cracked in less than 2.5 hours, while a password with 14 characters can be substantially longer.

In Windows Server environments, the longstanding maximum value that can be set for the MinimumPasswordLength Group Policy settings is 14. Outside of using a Fine-grained Password Policy assigned to security groups, there is no way to require passwords longer than 14 characters in Windows.

To overcome this limitation, you need to enable the RelaxMinimumPasswordLengthLimits policy setting, which allows you to set the minimum password length to any value from 1 to 255. This setting works together with the MinimumPasswordLengthAudit and MinimumPasswordLength settings, which let you specify the minimum password length and audit the password changes that do not meet the requirement.

How to Configure the Password Policy Settings

To change the password policy settings in Windows Server 2022, you can follow these steps:

  1. Open the Group Policy Management Console (GPMC).
  2. Expand the Domains folder, choose the domain whose policy you want to access and choose Group Policy Objects.
  3. Right-click the Default Domain Policy GPO and click Edit.
  4. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy.
  5. Change “Relax minimum password length limits” to Enabled
  6. Change “Minimum password length audit” to the number of characters you want the minimum password length to be.
  7. Change “Minimum password length” to to the number of characters you want the minimum password length to be.

For more information on this Microsoft has this support article: Minimum Password Length auditing and enforcement on certain versions of Windows – Microsoft Support

Configuration Recommendations to Force Password Length Longer Than 14 Characters

The following gives more detail for each setting that you need to configure to enforce strong passwords in your environment:

Name: RelaxMinimumPasswordLengthLimits
Description: Allows you to set the minimum password length to any value from 1 to 255.
Value to require passwords greater than 14 characters: Enabled

Name: MinimumPasswordLengthAudit
Description: Specifies the minimum number of characters that a password must contain. If a user tries to change their password to a value that is shorter than this number, the system will generate a warning event in the Security log.
Value to require passwords greater than 14 characters: 15 or higher

Name: MinimumPasswordLength
Description: Specifies the minimum number of characters that a password must contain. If a user tries to change their password to a value that is shorter than this number, the system will reject the change and display an error message.
Value to require passwords greater than 14 characters: 15 or higher

Other Settings

In addition to the above, here is more detail on the remaining settings:

Name: Password must meet complexity requirements
Description: Determines whether passwords must meet a series of strong-password guidelines, such as containing characters from different categories and not including the username or full name.

Name: Enforce password history
Description: Determines the number of unique new passwords that must be associated with a user account before an old password can be reused.

Name: Maximum password age
Description: Determines the period of time (in days) that a password can be used before the system requires the user to change it.

Name: Minimum password age
Description: Determines the period of time (in days) that a password must be used before the user can change it.

Each of those settings should be thoughtfully considered to be a good mix of security and user acceptance.

By enforcing strong password policies, you can enhance the security of your network and data and comply with the best practices and standards.

Have any questions about how to use the Group Policy Object to enforce users to use long passwords over 14 characters in Windows? Please feel free to reach out to our experts at any time!

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

SIGN-UP FOR INSIGHTS

Join 14,000+ business executives and decision makers

Upcoming Events

Upcoming Events

View Calendar

Latest Insights

View All Insights

About The Author

Craig Schellenberg

Craig Schellenberg

Craig Schellenberg is a Senior Network Consultant at Sikich that works with businesses to improve their IT. Being detail oriented assists in his ability to design and deploy new solutions as well as troubleshoot complex issues. His primary areas of focus are virtualization and storage on premise (whether through VMware vSphere or Microsoft Hyper-V), Microsoft Cloud services such as Azure and Office 365, Microsoft SQL design and administration, backup/DR/Business Continuance, and network route/switch/firewalls. Craig holds many certifications including his MCSE (Microsoft Certified Solutions Expert) in Productivity, Messaging, and Cloud Platform and Infrastructure. Craig also holds multiple certifications of his VCP (VMware Certified Professional) including version 3, 4 (Data Center Virtualization), 5 (Data Center Virtualization), 5 (Desktop), Cloud, and 6 (Data Center Virtualization).

©2024 All Rights Reserved.   Privacy Policy   Disclaimer

white sikich logo