Secureframe Agent: Password Policy Check

Password Policy 

Here are step-by-step instructions to enable password policy requirements for a device.


  • The following requirements must be enforced to pass this check:
    • Minimum password length: 8 characters
    • Password must meet complexity requirements: Enabled
  • These can be set via Local Security Policy or Group Policy, both of which come installed on Windows 10/11 Pro.
    • Local Security Policy method:
      • Open the Run program and enter "secpol.msc"
      • Go to Security Settings -> Account Policies -> Password Policy
        • Set "Minimum password length" to 8
        • Set "Password must meet complexity requirements" to "Enabled"
    • Group Policy method:
      • Open the Run program and enter "gpedit.msc"
      • Go to "Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy"
        • Set "Minimum password length" to 8
        • Set "Password must meet complexity requirements" to "Enabled"
  • If not all your Windows devices come with these programs or it would be too time-consuming to edit these settings on each device, we recommend instead using an MDM to enforce these settings.


You will need to create a device profile with requireAlphanumeric set to true and minLength >= 8.


The Password Policy check will not pass until you have both updated the password requirements and changed your password to comply with these requirements. These instructions were taken in part from this article.

The Password Policy check requires:

  • Minimum password length of at least eight characters.
  • The classes of characters are digits, upper letters, lower letters, and special characters.
  • Minimum class of at least three for each password, meaning that multiple classes must be represented in the password.
  1. Install the augeas-lenses library and PAM module by running the following commands in your terminal:
sudo apt install augeas-lenses
sudo apt install libpam-pwquality
  1. Some Linux distributions may already have these libraries installed. See here for more technical information about the PAM module.
  2. Open the /etc/pam.d/common-password file.
  3. Find the line that includes
  4. Add minlen=8 minclass=3 to the end of that line. An example would look something like this:
password requisite retry=3 minlen=8 minclass=3
  • *If your Linux device is not 'checking in' after restarting, please refer to this article.

Was this article helpful?

Have more questions? Submit a request



Article is closed for comments.