{
	"id": "44669a3a-d1d2-44b6-9a5a-2faee2e2d9e9",
	"created_at": "2026-04-06T00:15:32.977633Z",
	"updated_at": "2026-04-10T03:21:03.215996Z",
	"deleted_at": null,
	"sha1_hash": "a8c613bb12dd7f7034b22649e3329b2d117e81ac",
	"title": "Password must meet complexity requirements - Windows 10",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56687,
	"plain_text": "Password must meet complexity requirements - Windows 10\r\nBy vinaypamnani-msft\r\nArchived: 2026-04-05 21:59:38 UTC\r\nApplies to\r\nWindows 11\r\nWindows 10\r\nDescribes the best practices, location, values, and security considerations for the Password must meet\r\ncomplexity requirements security policy setting.\r\nThe Passwords must meet complexity requirements policy setting determines whether passwords must meet a\r\nseries of strong-password guidelines. When enabled, this setting requires passwords to meet the following\r\nrequirements:\r\n1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName\r\n(Full Name value). Neither of these checks is case-sensitive.\r\nThe samAccountName is checked in its entirety only to determine whether it's part of the password. If the\r\nsamAccountName is fewer than three characters long, this check is skipped. The displayName is parsed for\r\ndelimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these\r\ndelimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be\r\nincluded in the password. Tokens that are shorter than three characters are ignored, and substrings of the\r\ntokens aren't checked. For example, the name \"Erin M. Hagens\" is split into three tokens: \"Erin\", \"M\", and\r\n\"Hagens\". Because the second token is only one character long, it's ignored. So, this user couldn't have a\r\npassword that included either \"erin\" or \"hagens\" as a substring anywhere in the password.\r\n2. The password contains characters from three of the following categories:\r\nUppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic\r\ncharacters).\r\nLowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and\r\nCyrillic characters).\r\nBase 10 digits (0 through 9).\r\nNon-alphanumeric characters (special characters):\r\n'-!\"#$%\u0026()*,./:;?@[]^_`{|}~+\u003c=\u003e\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements\r\nPage 1 of 3\n\nCurrency symbols such as the Euro or British Pound aren't counted as special characters for this\r\npolicy setting.\r\nAny Unicode character that's categorized as an alphabetic character but isn't uppercase or\r\nlowercase. This group includes Unicode characters from Asian languages.\r\nComplexity requirements are enforced when passwords are changed or created.\r\nThe rules that are included in the Windows Server password complexity requirements are part of Passfilt.dll ,\r\nand they can't be directly modified.\r\nWhen enabled, the default Passfilt.dll may cause some more Help Desk calls for locked-out accounts, because\r\nusers are used to passwords that contain only characters that are in the alphabet. But this policy setting is liberal\r\nenough that all users should get used to it.\r\nOther settings that can be included in a custom Passfilt.dll are the use of non-upper-row characters. To type\r\nupper-row characters, you hold the SHIFT key and press one of any of the keys on the number row of the\r\nkeyboard (from 1 through 9 and 0).\r\nEnabled\r\nDisabled\r\nNot defined\r\nSet Passwords must meet complexity requirements to Enabled. This policy setting, combined with a minimum\r\npassword length of 8, ensures that there are at least 159,238,157,238,528 different possibilities for a single\r\npassword. This setting makes a brute force attack difficult, but still not impossible.\r\nThe use of ALT key character combinations may greatly enhance the complexity of a password. However,\r\nrequiring all users in an organization to adhere to such stringent password requirements might result in unhappy\r\nusers and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT\r\ncharacters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of\r\nthat range can represent standard alphanumeric characters that don't add more complexity to the password.)\r\nShort passwords that contain only alphanumeric characters are easy to compromise by using publicly available\r\ntools. To prevent this vulnerability, passwords should contain other characters and/or meet complexity\r\nrequirements.\r\nComputer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\r\nThe following table lists the actual and effective default policy values. Default values are also listed on the\r\npolicy's property page.\r\nServer type or Group Policy Object (GPO) Default value\r\nDefault domain policy Enabled\r\nDefault domain controller policy Enabled\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements\r\nPage 2 of 3\n\nServer type or Group Policy Object (GPO) Default value\r\nStand-alone server default settings Disabled\r\nDomain controller effective default settings Enabled\r\nMember server effective default settings Enabled\r\nEffective GPO default settings on client computers Disabled\r\nThis section describes how an attacker might exploit a feature or its configuration, how to implement the\r\ncountermeasure, and the possible negative consequences of countermeasure implementation.\r\nPasswords that contain only alphanumeric characters are easy to discover with several publicly available tools.\r\nConfigure the Passwords must meet complexity requirements policy setting to Enabled and advise users to use\r\nvarious characters in their passwords.\r\nWhen combined with a Minimum password length of 8, this policy setting ensures that the number of different\r\npossibilities for a single password is so great that it's difficult (but possible) for a brute force attack to succeed. (If\r\nthe Minimum password length policy setting is increased, the average amount of time necessary for a successful\r\nattack also increases.)\r\nIf the default configuration for password complexity is kept, more Help Desk calls for locked-out accounts could\r\noccur because users might not be used to passwords that contain non-alphabetical characters, or they might have\r\nproblems entering passwords that contain accented characters or symbols on keyboards with different layouts.\r\nHowever, all users should be able to follow the complexity requirement with minimal difficulty.\r\nIf your organization has more stringent security requirements, you can create a custom version of the\r\nPassfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom\r\npassword filter might require the use of non-upper-row symbols. (Upper-row symbols are those symbols that\r\nrequire you to press and hold the SHIFT key and then press any of the keys on the number row of the keyboard,\r\nfrom 1 through 9 and 0.) A custom password filter might also perform a dictionary check to verify that the\r\nproposed password doesn't contain common dictionary words or fragments.\r\nThe use of ALT key character combinations may greatly enhance the complexity of a password. However, such\r\nstringent password requirements might result in more Help Desk requests. Alternatively, your organization could\r\nconsider a requirement for all administrator passwords to use ALT characters in the 0128-0159 range. (ALT\r\ncharacters outside of this range can represent standard alphanumeric characters that wouldn't add more complexity\r\nto the password.)\r\nPassword Policy\r\nSource: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-require\r\nments\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements"
	],
	"report_names": [
		"password-must-meet-complexity-requirements"
	],
	"threat_actors": [],
	"ts_created_at": 1775434532,
	"ts_updated_at": 1775791263,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a8c613bb12dd7f7034b22649e3329b2d117e81ac.pdf",
		"text": "https://archive.orkl.eu/a8c613bb12dd7f7034b22649e3329b2d117e81ac.txt",
		"img": "https://archive.orkl.eu/a8c613bb12dd7f7034b22649e3329b2d117e81ac.jpg"
	}
}