How To Enforce Strong Passwords in Windows 10
Passwords help keep your computer secure from casual passers by who may wish to browse or copy data off your computer when they have access to it for a short period (for protection in case of the computer being stolen, you need encryption - since the thief could connect the storage media to some other computer that does not require your password). Passwords also make it harder for someone to clandestinely install malware or other software on your computer when you are not present.
For instance, if a computer is password protected, someone accessing your facility after hours cannot simply connect a USB storage drive and copy data from your account.
All this protection goes away if your password is cracked. That is where strong passwords come in. A strong password is difficult to be guessed using manual and automatic password cracking tools.
The first step is of course to make sure that all computer accounts do use passwords. And there are no guest accounts enabled. Fortunately in Windows 10, there are no guest accounts by default.
Next, we need to force each account to have a strong password.
Require Strong Passwords
On each of your computers, follow the following steps with an administrator account.
Press the Windows key and R key simultaneously. In the little popup window towards bottom left, type secpol.msc. Click OK.
In the window that opens, double click Account Policies and then Password Policy.
You will see several password related settings in the right pane.
Make sure that Store passwords using reversible encryption is Disabled. By default, passwords are stored with non-reversible encryption, so that someone who steals the password file cannot get the actual passwords. Storing them with reversible encryption is almost as good as not encrypting them, because the decryption key is stored on the computer itself. Anyone who gets access to the computer would get both the encrypted passwords as well as the decryption key. Its like locking a door and then leaving the key in the lock.
When we disable this setting, passwords are encrypted using one way encryption. When you type the password, the operating system can encrypt it and match it to the stored encrypted password. But there is no decryption key to decrypt the stored encrypted password.
In the right pane, double click Password must meet complexity requirements and set it to enabled.
Setting this to enabled means that Windows will ensure that passwords
- do not contain the user account name or full name
- be at least 6 characters in length
- contain characters from at least 3 of the 4 following categories: uppercase English letters (A-Z), lowercase English letters (a-z), base 10 digits (0-9), and non-alphabetic characters (such as $, !, %).
Optionally, you may require even stronger passwords than the above setting enforces.
For instance, you could set the Minimum Password length in the right pane to force the use of longer passwords. For instance you could select the minimum password length to be 8 instead of 6 characters.
Another useful setting to configure is the Maximum password age. This would force users to change passwords regularly. This makes accounts safer because any old password if lost or stolen will become useless after this duration.
Related to maximum password age is the setting Enforce password history. This ensures that a certain number of the previous passwords cannot be re-used. For instance, if this setting is set to 3, then, the user cannot use any of their previous 3 passwords when changing their password.
Remember to restart your computer after making the policy changes above.