Let us see how we can enforce a minimum password length requirement for local user accounts in Windows 10 first. Then we shall figure out why you must do it. Let’s begin.
Why You Need Minimum Password Length for Local User Accounts
The short answer is privacy and security. I bet you know that. Creating a local user account on the same computer allows you to access Windows offline without needing a Microsoft account. Local user accounts are local and don’t need internet connectivity to allow access. That means account settings won’t sync across devices and everything stays offline. Some users prefer it that way. You can still sign in to Windows apps and services, but without using a Microsoft account on Windows 10. Microsoft did not add a minimum password length policy to local user accounts by default. You can turn that option on, but it is hidden deep in the Registry Editor and Group Policy Editor. Someone with access to your computer could easily switch to this local user account and gain access to every nook and cranny of the hard drive. You don’t want that to happen. You may want to keep everything offline and not tied to a Microsoft account for a variety of reasons. But there are offline threats too. Whether you are at home or in an office or a cafe, anyone could gain access to your computer physically and wreak havoc on your life. Using a password solves that, but people often use dumb passwords. Some popular ‘dumb password’ examples are birth date, house or license plate numbers, and even 1234. That is where password length can come in handy. Forcing users to use a password that’s longer is always better. The FBI recommends that longer passwords, even with simple letters/numbers, are better than short passwords with special characters. The idea is simple but makes sense. A longer password offers more possible combinations, making it harder to crack but easier to remember. That’s because it will take more computing power, and hence more time, to crack a longer password. And there is academic research to back this theory.
1. Set Minimum Password Length Using CMD
This method is meant for Windows 10 Home users. Search for and open Command Prompt (CMD) with admin rights from the Start menu. Here is the command to increase the minimum password length requirement. Replace the text ‘PassLength’ below with the minimum number of characters you want to use in the new password and press Enter. Want to check whether the command worked? One way is to create a new local account and set a password whose length is less than what’s set. Another way is to give the below command in CMD. You should see the prescribed minimum password length here, among other things. That’s it. A local account will now need a password with a minimum length. To remove the minimum password length requirement, give the below command.
2. Set Minimum Password Length Using Group Policy Editor
This method is suitable for Windows Pro and Enterprise users who have access to the GPE or Group Policy Editor. GPE comes with a GUI or Graphical User Interface, which allows you to make system-level changes without having to mess around with commands. Still, caution is required because things could go wrong. I would recommend taking a backup or create a restore point before going ahead. If you work in an enterprise and have an IT admin, check with him/her for more details as domain policy will take precedence over your system policy. Search for gpedit.msc in the Windows Start menu and open it. Drill down to the below folder structure.
Note: If you enter the value as 0 (zero), it means no password is required for local user account. Enter the new value for minimum password length in characters, click on Apply and OK to save everything. Want to have the best of both worlds? You can force the users also to use special characters in their passwords. You can also force them to change their passwords every X days. Double-click to open ‘Password must meet complexity requirements policy’ option. Select Enable and save everything. Here are the criteria that will be enforced via this policy:
Password length as prescribed by you in the above step. The default value is 6 characters long.It cannot contain the user’s account name or full name that exceeds two characters consecutively.Must contain at least one (1) character that is:Uppercase (A to Z)Lowercase (a to z)Digits (0 to 9)special characters (!, @, #, $)
To force the user to change the password every X days, double-click to open the Maximum password age policy file. Enter the number of days after which the user will be asked to change his/her local user account password. These additional controls are there to improve security, but it can get painful to remember new passwords. It can be a little too much, especially for older folks who find it a challenge to work with computers and remember passwords. So set a favorable number like 45 days or 90 days.
Maximum Security Measures
Set the minimum password length criteria carefully. You may want to find a balance between ease, usability, and security. A lot will depend on where you work, the technical skill set of users who are working on these computers, and how much you want to protect what’s on that HDD/SSD. It can become a nuisance if you share the computer with someone in your family. Thankfully, Microsoft made things very flexible recently by giving more control to admins over how different aspects of local and online accounts are managed. Next up: Accidentally deleted an admin account in Windows 10? Click on the link below to learn how to recover the deleted administrator account. Better yet, learn how to avoid that situation altogether.