Alfred's New Ramblings

Microsoft Windows password policy

As part of security policy, the Windows password policy ensures the user’s password is sufficiently complex and fresh.

Windows by default do not detect the difference between old and new password. It even accepts a password with one character different from the previous. Why? This is due to hashing. All authentication systems hash the password and the hashed copy stored. As long as the hashed copies differ, it will be accepted.

What if you need to increase the complexity of the user passwords to prevent dictionary attacks. For example, repeated characters with high complexity will still be accepted. In this day and age of high-speed computers, brute force dictionary attack makes password cracking very easy. To prevent this, a filter is required.

A password filter can filters out repeated characters. The default high complexity password filter, Passfilt.dll captures the following:


Character categories Examples
Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters) A, B, C, … Z
Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters) a, b, c, … z
Base 10 digits (0 through 9) 0, 1, 2, … 9
Non-alphanumeric characters (special characters) $,!,%,^,(){}[];:<>?
Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.


It is possible to install a third party filter like OpenPasswordFilte to give refined control of the user passwords.


Tagged on:

Leave a Reply

Your email address will not be published. Required fields are marked *