User Account Password Options
Each user account has a number of options related to passwords. To view these options, open the Local Users And Groups snap-in (as described earlier in this tutorial), right-click the user you want to work with, and then select Properties. There are three password-related check boxes in the property sheet that appears:
- User Must Change Password At Next Logon If you select this check box (the Password Never Expires option must not be active), the next time the user logs on, the user will see a dialog box with the message that the user is required to change his or her password. When the user clicks OK, the Change Password dialog box appears and the user enters his or her new password.
- User Cannot Change Password Select this check box to prevent a user from changing his or her password.
- Password Never Expires If you clear this check box, the user's password will expire. The expiration date is determined by the Maximum Password Age policy, discussed in the next section.
Taking Advantage of Windows XP's Password Policies
Windows XP maintains a small set of useful password-related policies that govern settings such as when passwords expire and the minimum length of a password. In the Group Policy editor, select Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy. (In the Local Security Policy snap-in, select Security Settings, Account Policies, Password Policy.) There are six policies:
- Enforce Password History This policy determines the number of old passwords that Windows XP stores for each user. This is to prevent a user from reusing an old password. For example, if you set this value to 10, the user can't reuse a password until he or she has used at least 10 other passwords. Enter a number between 0 and 24.
- Maximum Password Age This policy sets the number of days after which passwords expire. This only applies to user accounts where the Password Never Expires property has been disabled (see the previous section). Enter a number between 1 and 999.
- Minimum Password Age This policy sets the numbers of days that a password must be in effect before the user can change it. Enter a number between 1 and 998 (but less than the Maximum Password Age value).
- Minimum Password Length This policy sets the minimum number of characters for the password. Enter a number between 0 and 14 (where 0 means no password is required).
- Password Must Meet Complexity Requirements If you enable this policy, Windows XP examines each new password and accepts it only if it meets the following criteria: it doesn't contain all or part of the user name; it's at least six characters long; and it contains characters from three of the following four categories: uppercase letters, lowercase letters, digits (0-9), and non-alphanumeric characters (such as $ and #).
- Store Password Using Reversible Encryption For All Users In The Domain Enabling this policy tells Windows XP to store user passwords using reversible encryption. Some applications require this, but they're rare and you should never need to enable this policy.
In this tutorial:
- Managing Logons and Users
- Useful Windows XP Logon Strategies
- Setting Up an Automatic Logon
- Setting Logon Policies
- More Logon Registry Tweaks
- Getting the Most Out of User Accounts
- Control Panel's User Accounts Icon
- The Local Users And Groups Snap-In
- Setting Account Policies
- Working with Users and Groups from the Command Line
- Creating and Enforcing Bulletproof Passwords
- User Account Password Options
- Recovering a Forgotten Password
- Sharing Your Computer Securely