A weak password is an open door. If your Windows environment does not have a clearly defined password policy, attackers do not need sophisticated tools. They just need patience and a basic dictionary file. This guide shows you exactly how to create a strong password policy on Windows, step by step, whether you are managing a single PC or a whole Active Directory domain.
You will learn what settings to configure, where to find them, what values actually work in 2026, and how to avoid the mistakes most IT admins make.
Why a Password Policy Matters More Than Ever
Data breaches in 2025 and 2026 consistently trace back to one root cause: compromised credentials. Attackers use credential stuffing, brute force, and phishing. A well-configured password policy on Windows directly reduces how much damage any of these can cause.
It does not matter how good your firewall is if a user has their password set to Summer2024! and has not changed it in three years.
A strong password policy forces complexity, limits password reuse, locks out repeated failed attempts, and shortens the window an attacker has to exploit a stolen credential.
Two Environments, Two Paths
Before you start, you need to know which environment you are in. The tools you use depend on this.
| Environment | Tool to Use |
|---|---|
| Standalone Windows PC (no domain) | Local Security Policy or secpol.msc |
| Windows Server with Active Directory | Group Policy Management Console (GPMC) |
| Azure AD / Entra ID hybrid | Azure AD Password Protection + Group Policy |
This guide covers both standalone and domain-joined environments.
Part 1: Setting a Password Policy on a Standalone Windows Machine
Step 1: Open Local Security Policy
Press Win + R, type secpol.msc, and hit Enter. This opens the Local Security Policy editor.
Navigate to:
Security Settings > Account Policies > Password Policy
You will see six settings. Each one matters.
Step 2: Configure Each Password Policy Setting
Here is what each setting does and what value to use in 2026.
Enforce Password History
This setting prevents users from reusing old passwords.
Set it to 24 passwords remembered.
If you set it to 3 or 5, users just cycle through a small set. Twenty-four forces them to actually create new ones.
Maximum Password Age
This forces a password change after a set number of days.
NIST (National Institute of Standards and Technology) updated their guidance in recent years. They now recommend against mandatory periodic resets unless there is evidence of compromise. However, in most organizational environments, a value of 90 days is still commonly enforced and accepted by auditors.
If you are a home user or small team, you can set this higher, around 180 days, or enforce changes only when a breach is suspected.
Minimum Password Age
This prevents users from changing their password multiple times in one day just to get back to their favorite old one.
Set it to 1 day.
Without this, a user can change their password 24 times in a row to bypass the history setting.
Minimum Password Length
This is the most important setting. Short passwords fall fast.
Set it to 14 characters minimum.
A 14-character password with mixed types has far more entropy than an 8-character one. Modern GPUs can crack 8-character passwords in minutes. Fourteen characters raises that bar significantly.
Password Must Meet Complexity Requirements
Enable this. When turned on, Windows enforces that passwords:
- Do not contain the user account name or full name
- Are at least six characters long (your minimum length overrides this)
- Contain characters from three of these four categories: uppercase letters, lowercase letters, digits (0 through 9), and special characters
Set this to Enabled.
Store Passwords Using Reversible Encryption
Set this to Disabled. Always.
Reversible encryption essentially stores the password in a format that can be decoded. There is almost no legitimate reason to enable it in modern Windows environments.
Step 3: Configure Account Lockout Policy
Password policy alone is not enough. You need lockout settings too. Navigate to:
Security Settings > Account Policies > Account Lockout Policy
| Setting | Recommended Value |
|---|---|
| Account lockout threshold | 5 invalid attempts |
| Account lockout duration | 30 minutes |
| Reset account lockout counter after | 30 minutes |
Five attempts is strict enough to stop brute force but forgiving enough that a user who mistypes their password will not immediately get locked out. Thirty minutes gives enough cool-down time.
Part 2: Setting a Password Policy in Active Directory (Domain Environment)
In a domain, Local Security Policy on individual machines does not control account policies. You must use Group Policy at the domain level.
Step 1: Open Group Policy Management Console
On your Domain Controller, go to Server Manager, click Tools, and open Group Policy Management.
Expand your forest, then your domain.
Step 2: Edit the Default Domain Policy
Right-click on Default Domain Policy and click Edit. This opens the Group Policy Management Editor.
Navigate to:
Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy
Configure the same values described in Part 1. The key difference is that these settings apply to every user in the domain.
Step 3: Use Fine-Grained Password Policies for Specific Groups
Windows Server 2008 and later supports Fine-Grained Password Policies (FGPP). This lets you apply stricter rules to privileged accounts like administrators.
To configure FGPP:
- Open Active Directory Administrative Center
- Navigate to your domain name, then System, then Password Settings Container
- Right-click and select New > Password Settings
- Set your values and assign them to specific users or groups
For admin accounts, consider these stricter values:
| Setting | Admin Account Value |
|---|---|
| Minimum password length | 20 characters |
| Maximum password age | 60 days |
| Lockout threshold | 3 invalid attempts |
| Lockout duration | 60 minutes |
Admins have more access. They get stricter rules. This is correct security hygiene.
Step 4: Force a Group Policy Update
After saving your policy, run this command on a domain machine to apply it immediately:
gpupdate /force
You can also verify the applied policy by running:
gpresult /r
Part 3: Using PowerShell to Configure Password Policies
If you prefer the command line or need to automate this across multiple systems, PowerShell is your friend.
For Local Policy (Standalone Machine)
# Set minimum password length to 14
net accounts /minpwlen:14
# Set maximum password age to 90 days
net accounts /maxpwage:90
# Set minimum password age to 1 day
net accounts /minpwage:1
# Set password history to 24
net accounts /uniquepw:24
# Set lockout threshold to 5
net accounts /lockoutthreshold:5
# Set lockout duration to 30 minutes
net accounts /lockoutduration:30
Run net accounts on its own to verify the current settings.
For Active Directory (Domain)
# Import the module
Import-Module ActiveDirectory
# Set default domain password policy
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" `
-MinPasswordLength 14 `
-MaxPasswordAge (New-TimeSpan -Days 90) `
-MinPasswordAge (New-TimeSpan -Days 1) `
-PasswordHistoryCount 24 `
-ComplexityEnabled $true `
-ReversibleEncryptionEnabled $false
# View current policy
Get-ADDefaultDomainPasswordPolicy
For Fine-Grained Password Policy via PowerShell:
New-ADFineGrainedPasswordPolicy -Name "AdminPolicy" `
-Precedence 10 `
-MinPasswordLength 20 `
-MaxPasswordAge (New-TimeSpan -Days 60) `
-MinPasswordAge (New-TimeSpan -Days 1) `
-PasswordHistoryCount 24 `
-ComplexityEnabled $true `
-LockoutThreshold 3 `
-LockoutDuration (New-TimeSpan -Minutes 60) `
-LockoutObservationWindow (New-TimeSpan -Minutes 60)
# Apply to Domain Admins group
Add-ADFineGrainedPasswordPolicySubject -Identity "AdminPolicy" -Subjects "Domain Admins"
Part 4: Strengthening Your Policy Beyond the Basics
Enable Windows Defender Credential Guard
Credential Guard uses virtualization to isolate credentials from the rest of the operating system. Even if malware runs on the machine, it cannot read credentials stored in LSASS.
Enable it via Group Policy:
Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security
Ban Common Passwords with Azure AD Password Protection
If you use Azure Active Directory or a hybrid setup, Azure AD Password Protection blocks commonly used passwords and their variants. This prevents users from setting passwords like Password1! that technically meet complexity rules but are trivially guessable.
You can also deploy the on-premises agent on Windows Server to extend this protection to your local AD. Microsoft’s documentation on this feature is available at Microsoft’s Azure AD Password Protection page.
Audit Password Policy Compliance
Enable auditing so you know when accounts are locked out or when policy changes are made.
Navigate to:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Management
Enable:
- Audit User Account Management: Success and Failure
- Audit Account Lockout: Success and Failure
These events will log to the Windows Security event log. You can forward them to a SIEM for alerting.
Consider Passphrases Instead of Complex Short Passwords
A passphrase like correct-horse-battery-staple is 28 characters, easy to remember, and extremely hard to crack. Your length requirement handles the security. You do not need to force special characters if the length is strong.
This aligns with the NIST SP 800-63B guidelines, which recommend prioritizing length over forced complexity. Read more about NIST password guidelines at NIST SP 800-63B Digital Identity Guidelines.
Common Mistakes to Avoid
| Mistake | Why It Hurts | Fix |
|---|---|---|
| Setting minimum length to 8 | Crackable in minutes with modern hardware | Set to 14 or higher |
| Not setting a minimum password age | Users cycle through history to reuse old passwords | Set to at least 1 day |
| Applying only to admins | Regular accounts get compromised and pivoted | Apply domain-wide, then layer stricter rules for admins |
| Never auditing lockouts | You miss brute force attempts in progress | Enable Account Lockout auditing |
| Ignoring service accounts | These often have weak static passwords | Apply FGPP with even stricter rules, or use Managed Service Accounts |
| Storing passwords in reversible encryption | Exposes plaintext passwords | Always disable this setting |
Quick Reference: Recommended Password Policy Settings (2026)
| Setting | Standard User | Admin / Privileged User |
|---|---|---|
| Minimum password length | 14 characters | 20 characters |
| Maximum password age | 90 days | 60 days |
| Minimum password age | 1 day | 1 day |
| Password history | 24 | 24 |
| Complexity enabled | Yes | Yes |
| Reversible encryption | No | No |
| Lockout threshold | 5 attempts | 3 attempts |
| Lockout duration | 30 minutes | 60 minutes |
Conclusion
Creating a strong password policy on Windows is not a single checkbox. It is a combination of length requirements, complexity rules, history enforcement, lockout settings, and ongoing auditing. The steps above give you everything you need to set this up correctly in 2026, whether you are on a single PC or managing an enterprise Active Directory environment.
Start with the basics: 14-character minimum, complexity on, history at 24, lockout at 5 attempts. Then layer in Fine-Grained Policies for admin accounts, enable Credential Guard, and audit your logs. That combination makes credential-based attacks significantly harder.
The goal is not perfection. It is raising the cost of an attack high enough that attackers move on to easier targets.
Frequently Asked Questions
How do I check the current password policy on Windows?
On a standalone machine, open Command Prompt and run net accounts. This displays the current password length, age, history, and lockout settings. In a domain, run Get-ADDefaultDomainPasswordPolicy in PowerShell, or open the Default Domain Policy in Group Policy Management Console.
Does the Local Security Policy override Group Policy in a domain?
No. In an Active Directory domain, account policies defined in the Default Domain Policy (or via Fine-Grained Password Policies) take precedence over Local Security Policy settings. Local Security Policy for account settings only applies to standalone machines not joined to a domain.
What is the difference between Fine-Grained Password Policy and the Default Domain Policy?
The Default Domain Policy applies a single password policy to all user accounts in the domain. Fine-Grained Password Policies (FGPP) let you define separate policies for specific users or security groups. This means you can apply stricter rules to Domain Admins while keeping standard rules for regular users.
How long should passwords be in 2026?
Security guidance in 2026 recommends a minimum of 14 characters for standard users and 20 characters for privileged or administrative accounts. Length is the single most important factor in password strength. A 20-character passphrase with no special characters is significantly stronger than an 8-character password with symbols.
What happens when I enable complexity requirements in Windows?
Windows enforces that the password does not contain the user account name, is at least 6 characters (your minimum length setting overrides this), and includes characters from at least three of the following four categories: uppercase letters (A through Z), lowercase letters (a through z), digits (0 through 9), and non-alphanumeric characters such as !, $, #, or %. This blocks common single-word passwords even if they meet the length requirement.
