Implement strong passwords

Applies To: Windows SBS 2008

Password policies are a set of rules that can enhance the security of your Windows SBS 2008 network. Using strong password provides an additional layer of defense against an unauthorized user gaining access to your network.

To help implement strong passwords, password polices are enabled by default in Windows SBS 2008 during installation. You can ensure that users implement strong passwords by enforcing password polices in your network.

The password policies in Windows SBS 2008 include the following:

Minimum length Enable this policy to determine the least number of characters that a password can contain. Setting a minimum length helps protect your network by preventing users from having short or blank passwords. The default is eight characters.

Complexity Enable this policy to determine whether passwords must contain different types of characters. If this policy is enabled, passwords cannot contain all or part of a user's account name, and it must contain characters from three of the following four categories:

  • English uppercase characters (A through Z)

  • English lowercase characters (a through z)

  • Numerals (0 through 9)

  • Non-alphanumeric characters (such as , !, $, #, %)

Maximum age Enable this policy to determine the period of time (in days) that a password can be used before the system requires that the user change it. The default is 180 days.


After you enable or change password policies, all users are required to change their passwords the next time they log on. Informing users about what requirements they must use when they change their passwords helps ensure that they understand how to choose a strong password.