What should I know about password policies?

Published: April 26, 2010

Updated: June 30, 2011

Applies To: Windows Small Business Server 2011 Essentials

The password policy is a set of rules that define how users create and use passwords. The policy helps to prevent unauthorized access to user data and other information that is stored on the server. The password policy is applied to all user accounts that access the network.

The Windows SBS 2011 Essentials password policy consists of three primary elements as follows:

  • Password length.  The longer a password is, the more secure it is. Blank passwords are not secure.

  • Password complexity.  Complex passwords contain a mixture of uppercase and lowercase letters (a-z, A-Z) base numbers (0-9), and non-alphabetic symbols (such as; !,@,#,_,-). Complex passwords are much less susceptible to unauthorized access. Passwords that contain user names, birth dates, or other personal information do not provide adequate security.

  • Password age.  Windows SBS 2011 Essentials requires that users change their password at least once every 180 days. As an option, you can choose to have passwords never expire.

To make it easier to implement a password policy on your computer network, Windows SBS 2011 Essentials provides a simple tool that allows you to set or change the password policy to any of the following four pre-defined policy profiles:

  • Weak.  Users can specify any password that is not blank.

  • Medium.  These passwords must contain at least 5 characters. A complex password is not required.

  • Best.  These passwords must contain at least 5 characters, and must include letters, numbers, and symbols.

  • Strong.  These passwords must contain at least 7 characters, and must include letters, numbers, and symbols. These passwords are more secure, but may be more difficult for users to remember.


If you install the Office 365 Integration Module (OIM), the OIM configuration wizard enforces the Strong password policy, and updates the policy to include the following requirements:

  • Passwords must contain 8–16 characters.

  • Passwords cannot contain a space or the Office 365 email name.

By default, server installation sets the default password policy to the Strong option.

For information about how to change the password policy, see Change the password policy.

For information about how to reset the password for a user account, see Reset the password for a user account.