Password Policy
Here are step-by-step instructions to enable password policy requirements for a device.
Windows:
- The following requirements must be enforced to pass this check:
- Minimum password length: 8 characters
- Password must meet complexity requirements: Enabled
-
"gpedit.msc" or "secpol.msc" must be installed in order to set a password policy
- These comes installed on Windows 10/11 Pro
- If you are on Windows 10/11 Home, this is how to download and install "gpedit.msc":
- Download this Batch script
- Right-click it and select "Run as Administrator"
- Wait up to 10 minutes for the script to download and install "gpedit.msc"
- Follow the instructions for "Group Policy method"
- The requirements can be set via Group Policy or Local Security Policy.
-
Group Policy method:
- Open the Run program and enter "gpedit.msc"
- Go to "Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy"
- Set "Minimum password length" to 8
- Set "Password must meet complexity requirements" to "Enabled"
-
Local Security Policy method:
- Open the Run program and enter "secpol.msc"
- Go to Security Settings -> Account Policies -> Password Policy
- Set "Minimum password length" to 8
- Set "Password must meet complexity requirements" to "Enabled"
-
Group Policy method:
- If not all your Windows devices come with these programs or it would be too time-consuming to edit these settings on each device, we recommend instead using an MDM to enforce these settings.
Mac:
You will need to create a device profile with requireAlphanumeric set to true and minLength >= 8.
- An MDM such as Kolide or Jamf Pro can also create and enforce a password & screen lock policy.
-
If not using an MDM, you can install this profile we've created for everyone to use, or you can use the resources below to create your own device profile.
- This profile will also enforce the required screen lock settings.
- Profile resources:
- More information on configuration for Apple devices
-
More information on payload for configuring a password policy
This video also shows how to configure the shared password & screen lock profile for your device.
Linux:
The Password Policy check will not pass until you have both updated the password requirements and changed your password to comply with these requirements. These instructions were taken in part from this article.
The Password Policy check requires:
- Minimum password length of at least eight characters.
- The classes of characters are digits, upper letters, lower letters, and special characters.
- Minimum class of at least three for each password, meaning that multiple classes must be represented in the password.
- Install the augeas-lenses library and PAM module by running the following commands in your terminal:
sudo apt install augeas-lenses
sudo apt install libpam-pwquality
- Some Linux distributions may already have these libraries installed. See here for more technical information about the PAM module.
- Open the
/etc/pam.d/common-password
file. - Find the line that includes
pam_pwquality.so
. - Add
minlen=8 minclass=3
to the end of that line. An example would look something like this:
password requisite pam_pwquality.so retry=3 minlen=8 minclass=3
- *If your Linux device is not 'checking in' after restarting, please refer to this article.
Comments
0 comments
Article is closed for comments.