What Is Password policy? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
What do you want to do?
Quick Definition
A password policy is a set of rules that tells you how to create and manage passwords to keep your accounts safe. It often includes rules about how long passwords should be, what characters they must contain, and how often you must change them. These policies help protect company data from hackers.
Common Commands & Configuration
aws iam update-account-password-policy --minimum-password-length 14 --require-uppercase-characters --require-lowercase-characters --require-numbers --require-symbols --max-password-age 90 --password-reuse-prevention 24 --allow-users-to-change-passwordSets a comprehensive AWS IAM password policy enforcing a 14-character minimum, all character types, 90-day expiration, and 24-password history. Commonly used in Security+ and AWS SAA scenarios to meet compliance requirements like PCI-DSS or SOC 2.
This is the exact command you may need to identify in AWS SAA exam questions about password policy compliance. Remember that AWS does not have a native lockout threshold; that's a trick point.
net accounts /minpwlen:14 /maxpwage:90 /uniquepw:24 /lockoutthreshold:5 /lockoutduration:30 /lockoutwindow:30Configures Windows local security policy (workgroup or standalone) for password length, expiration, history, and account lockout. Used in A+ and MD-102 for local machine hardening.
The net accounts command is a classic A+ / Security+ tool. The lockoutwindow parameter is specifically tested; it is the reset counter window, not the duration.
Set-ADDefaultDomainPasswordPolicy -Identity contoso.com -MaxPasswordAge 90 -MinPasswordLength 14 -PasswordHistoryCount 24 -ReversibleEncryptionEnabled $false -ComplexityEnabled $truePowerShell cmdlet to set the default domain password policy in Active Directory for a domain called contoso.com. Used in MD-102 and MS-102 on-premises scenario labs.
This cmdlet is a core tool for AZ-104 and MS-102 exam objectives. Note that ReversibleEncryptionEnabled must be $false as per security best practice.
Set-MsolPasswordPolicy -DomainName contoso.com -ValidityPeriod 90 -NotificationDays 15Azure AD classic module command to set password expiration (validity period) and notification days for a cloud domain. Now deprecated but still appears in SC-900 and MS-102 legacy questions.
This command tests knowledge of the old Azure AD module. The new Graph API version is Get-MgPolicyAuthorizationPolicy but the classic command is more exam-relevant for legacy scenarios.
Update-AzureADDirectorySetting -Id 'c99a2f35-8d5f-4b76-9e1e-13a0c6e1f123' -Values @{'PasswordRules'='MinPasswordLength=12;MaxPasswordAge=0;BlockCommonPasswords=True'}Updates Azure AD directory settings (now Entra ID) for password rules, including minimum length disabling expiration and blocking common passwords.
This is an advanced command for SC-900 and MS-102. The trick is that MaxPasswordAge=0 means passwords never expire, which is now Microsoft's default recommendation.
aws iam get-account-password-policyRetrieves the current IAM password policy for the AWS account. Used in troubleshooting and auditing to verify policy settings. Commonly used in AWS SAA security domain.
Know the difference between get and update commands. The exam often expects you to check the policy before making changes.
gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> Minimum password length (set to 14)Graphical path in Group Policy Editor for configuring password length on a domain or local machine. Used in MD-102 and A+ exam scenarios.
This is a drag-and-drop or step-order question type in CompTIA A+ 220-1102. Remember the path order: Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy.
Password policy appears directly in 29exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →
Must Know for Exams
Password policy is a core topic across many IT certification exams because it forms the foundation of access control and security governance. For CompTIA Security+ (SY0-601 and SY0-701), it is a fundamental concept in domain 2.0 (Architecture and Design) and domain 3.0 (Implementation). Questions often ask you to identify the correct policy settings to mitigate a specific attack, such as setting an account lockout policy to prevent brute-force attacks. You may be asked to interpret a scenario where a user's account is compromised and recommend the appropriate policy change, like increasing password length or enabling password history.
For the CompTIA CySA+ (CS0-002), password policy appears in the context of vulnerability management and security monitoring. You might see a question about a password spraying attack detected in logs and be asked which policy parameter (account lockout threshold) would have prevented it. For the CASP+ (CAS-004), password policy is part of enterprise security architecture, where you must design a policy that balances security with usability across multiple domains, often integrating with smart card or biometric systems.
In the ISC2 CISSP exam, password policy falls under domain 5 (Identity and Access Management IAM) and domain 7 (Security Operations). You must understand the difference between policy, standard, baseline, and guideline. A password policy is a high-level document that defines management intent, while a password standard (e.g., length, complexity) is the specific technical implementation. CISSP questions may test your knowledge of industry standards (NIST, ISO 27001) and how they map to policy. The ISC2 CC (Certified in Cybersecurity) also covers password policy as part of access control fundamentals.
For Microsoft role-based exams like MD-102 (Endpoint Administrator), MS-102 (Microsoft 365 Administrator), and SC-900 (Security Compliance and Identity Fundamentals), password policy is a practical configuration topic. You need to know how to configure password policies in Microsoft Entra ID, including banned password lists, password protection for on-premises Active Directory, and the interaction between on-prem Group Policy and cloud policies. In AZ-104 (Azure Administrator), you must know how to configure password policies for Azure AD users and how to require MFA.
The AWS Certified Solutions Architect Associate (SAA-C03) exam may include password policy in the context of IAM best practices. You should know how to set a password policy for IAM users (length, expiration, reuse) and how to enforce MFA. The exam may present a scenario where an inexperienced administrator set a weak password policy and you must identify the best change.
CompTIA A+ (Core 2) covers password policy as a basic security measure for workstations. You might be asked about best practices for creating strong passwords, such as using a passphrase or not sharing passwords. All these exams expect you to understand not just the definition but also the practical application of password policy, including how to configure it and how to troubleshoot common issues like users being locked out of their accounts.
Simple Meaning
Think of a password policy like the rules for the lock on your front door at home. When you install a lock, you follow certain rules to make sure it is strong. For example, you do not use a lock that can be opened with a paperclip, and you do not give a copy of your key to everyone who walks by. In the digital world, a password policy is a set of instructions that an organization creates to make sure its employees use strong, hard-to-guess passwords. It is like having a rule that says your front door lock must have at least three different internal mechanisms and that you must change the lock once a year.
A typical password policy will say things like: your password must be at least eight characters long. It must contain a mix of uppercase letters, lowercase letters, numbers, and special symbols like @ or #. You cannot use obvious words like password123 or your own name. You must change your password every 90 days. You cannot reuse one of your last five passwords. This is all to stop someone who is not you from logging into your account.
Imagine your password is the key to a very large safe in a bank lobby called 'your account.' The password policy is the rulebook the bank gives to every employee who has a key to that safe. It says the key must have at least five unique notches, you cannot write the key's code on a sticky note on your computer screen, and you must get a new key every three months. If the bank just let everyone use any key they wanted, someone could use a very simple key that any thief could copy, and then the bank would lose all its money. That is why password policies exist: to make sure everyone uses strong keys that are hard for attackers to duplicate or guess.
In many companies, the IT department builds these rules directly into the computer system. When you try to set a password, the system checks if it meets all the rules automatically. If it does not, the system rejects it and asks you to try again. This automatic checking is a huge help because it forces everyone to follow the rules, even if they would rather use an easy-to-remember password like 'Summer2024'. The policy is really about creating a baseline of security that applies to everyone in the organization. It does not matter if you are the CEO or the intern; you must follow the same password policy to keep the company's data safe.
Full Technical Definition
In an enterprise IT environment, a password policy is a formal set of rules that governs the creation, management, storage, and rotation of passwords used to authenticate users. It is a critical component of access control and is typically enforced through Group Policy on Windows Active Directory domains or through cloud-based identity platforms like Microsoft Entra ID (formerly Azure AD). The technical implementation of a password policy involves several specific parameters, each with a defined function and recommended configuration derived from security best practices such as NIST SP 800-63B and CIS benchmarks.
The core technical parameters include minimum password length, which defines the shortest allowable number of characters. A longer minimum length (e.g., 14 characters) significantly increases entropy, making brute-force attacks computationally infeasible. Maximum password age sets a time limit after which the password must be changed, commonly 60 to 90 days, to mitigate the risk of undetected credential theft. Minimum password age prevents users from cycling through passwords rapidly to circumvent history requirements. Password history count stores a number of previous passwords (e.g., 24) to prevent reuse, forcing users to create truly new passwords.
Complexity requirements, such as requiring uppercase, lowercase, digits, and non-alphanumeric characters, are enforced to defeat dictionary attacks and pattern-based guessing. However, modern best practice from NIST recommends focusing on length over complexity, as a long passphrase can be more secure and more memorable than a short, complex string. Account lockout threshold defines how many failed login attempts (e.g., 5 to 10) are allowed before the account is locked, preventing online brute-force attacks. Lockout duration and reset lockout counter after parameters control how long the account remains locked and after how long the failed attempt counter is reset.
In an Active Directory environment, these policies are managed via Group Policy Management Console under Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy. Organizations can also create Fine-Grained Password Policies (FGPOs) for different user groups, applying different password rules for administrators versus regular users. In Microsoft Entra ID, password policies are enforced through Tenant-wide settings, and additional protection is provided by password protection (banned password lists) and self-service password reset (SSPR). For cloud services, identity providers like AWS IAM enforce password policies for the root user and IAM users, with parameters for length, expiration, and reuse.
Modern password policies also integrate with multi-factor authentication (MFA) to add a second layer of security. In many systems, if MFA is enabled, the password policy may be less strict on rotation because the risk of password-only compromise is lower. The NIST SP 800-63B revision 3 guidance de-emphasizes periodic password changes unless there is evidence of compromise, and instead promotes the use of password managers, long passwords, and MFA. However, many compliance frameworks (PCI-DSS, HIPAA, GDPR) still require regular password rotation, so IT professionals must balance technical best practice with regulatory obligations.
Password storage is also part of the policy. Systems must store passwords using strong, salted cryptographic hashing algorithms like bcrypt, Argon2, or PBKDF2, never in plaintext or with weak hashes like MD5 or SHA-1. The policy should specify that passwords are transmitted only over encrypted channels (TLS). Logging and monitoring for failed login attempts, anomalous authentication patterns, and password spray attacks are also policy-related technical controls that help detect when passwords are compromised. The policy must also cover password recovery procedures, such as secure reset links that expire, and the use of security questions that are not publicly guessable.
Real-Life Example
Imagine you and your roommates share a house with a front door lock. You decide to create a house rule about the keys. The rule says that every key must have at least five unique cuts (like a long password). You cannot use a key that looks like a flat piece of metal with one cut (like a weak password). You also agree that everyone must change their lock every 90 days, and if you move out, the whole lock must be replaced. That is exactly how a password policy works.
In your house, the key rule also says you cannot write the key's code on a sticky note and stick it to the front door (that would be writing your password on a monitor). You cannot hide a spare key under the doormat (that is like storing passwords in an unsecure file). If you lose your key or someone steals it, you must report it immediately, and the lock gets changed (that is enforcing account lockout and reset).
Now, suppose one of your roommates is lazy and wants to use a simple key with only one cut. You remind them of the house key rule. That rule is your password policy. It is not just a suggestion; it is a rule that everyone in the house must follow. If someone does not follow it, they might accidentally let a thief into the house. In the same way, if an employee uses a weak password at work, they could let a hacker into the company network.
The house rule also includes a 'no key sharing' rule. You cannot give your key to a neighbor just because they forgot theirs. That would be like sharing your password with a coworker. In a company, the password policy says you must never share your password with anyone, even the IT help desk. If you do, you are breaking the rule, and you could be responsible for a data breach.
The password policy in this analogy also covers what happens when someone tries to use the wrong key too many times. The house rule might say that after five tries with the wrong key, the lock will automatically jam for ten minutes. That is the account lockout feature. It stops a thief from standing at your front door trying different keys (brute-force attack) without being blocked.
In a real company, the password policy is the collection of all these house rules, but enforced by the computer system itself. When you type your password, the system checks if it meets all the rules. If it does not, it refuses to accept it and asks you to try again. This automatic enforcement is like having a smart lock that physically rejects a key that does not have enough cuts.
Why This Term Matters
In practical IT operations, a password policy is the first line of defense against unauthorized access. Without one, users tend to choose very weak passwords that are easy to remember, such as 'password123' or 'CompanyName2024'. These passwords are the first thing attackers try in a dictionary attack or a password spray attack. A well-designed password policy dramatically increases the difficulty of guessing or cracking passwords, raising the security baseline for the entire organization.
Password policies are not just about creating strong passwords; they are also about managing the lifecycle of credentials. They enforce regular rotation, which helps limit the window of exposure if a password is silently compromised. They prevent password reuse across different systems, which is critical because if an attacker gets a user's password from one service, they will try it on all other services (credential stuffing).
For IT administrators, a password policy also provides a framework for compliance with regulations and standards. For example, PCI-DSS requires that passwords be changed at least every 90 days and that a minimum length be enforced. HIPAA requires policies that protect electronic protected health information. Without a formal password policy, it is nearly impossible to pass an audit or demonstrate due diligence.
However, a password policy that is too strict can hurt productivity. If users are forced to change passwords every 30 days and use complex strings, they may resort to writing them on sticky notes or storing them in insecure ways. The modern trend, supported by NIST, is to focus on longer, memorable passphrases and to require MFA, which reduces the burden of frequent password changes. Understanding this tension is crucial for any IT professional.
Password policies also matter in the context of identity and access management (IAM). In cloud environments like AWS Azure or Microsoft 365, the password policy for IAM users can be configured to require MFA aging history and complexity. Misconfigured password policies are a common finding in security assessments and can lead to real breaches. For example, if an AWS IAM policy does not enforce a minimum length and does not require MFA, an attacker could compromise a low-privilege user and then escalate privileges. Therefore, understanding password policy is not just theoretical; it is a hands-on skill that every IT and security professional must master.
How It Appears in Exam Questions
In exam questions, password policy is often presented in a scenario format. A typical scenario might describe a company that experienced a data breach because an employee used an easily guessed password. The question then asks which password policy setting would best prevent a recurrence. The answer choices might include 'minimum password length of 14 characters', 'password history of 24', 'maximum password age of 90 days', or 'enable account lockout after 5 attempts'. You must choose the most effective control for the specific attack described.
Another common question pattern is a multiple-select question asking you to identify all the parameters that should be included in a strong password policy. For example, which of the following are best practices? The options might include 'minimum length of 8 characters', 'required complexity', 'password expiration every 30 days', 'password history of 24', 'account lockout threshold of 10', and 'password reuse allowed after 5 changes'. You must recall that NIST now recommends against mandatory periodic changes unless compromise is suspected, so the '30-day expiration' might not be the best answer in a modern context.
Configuration questions are common in Microsoft and AWS exams. For example, the question might give you a scenario where you need to configure a password policy for a specific group of users (e.g., administrators) that is more restrictive than the standard policy. You must know how to implement a Fine-Grained Password Policy (FGPO) in Active Directory or how to set a custom policy in AWS IAM. The answer choices might include PowerShell cmdlet names (e.g., Set-ADFineGrainedPasswordPolicy) or AWS CLI commands.
Troubleshooting-style questions can present a situation where users are unable to log in because they forgot their password, or they are being prompted to change it too frequently. You may need to identify that the maximum password age setting is too short, or that the minimum password age prevents them from changing back to a favorite password too quickly. Another troubleshooting scenario involves a locked-out account. You must know how to check the lockout status and reset it, often using tools like `net user` command or the Active Directory administrative tools.
Some questions test your understanding of the relationship between password policy and other security controls, such as MFA. For example, if a company has MFA enabled, should they still enforce a strict password rotation policy? The correct answer, based on NIST guidelines, is that password rotation can be relaxed if MFA is in place, because the risk is lower. However, compliance requirements may still mandate it. You must be able to weigh these factors.
Practise Password policy Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are the IT administrator at a growing company called GreenLeaf Inc., which has 200 employees. The company recently had a security scare when an attacker guessed the password of a finance employee with the password 'GreenLeaf2023'. The password was exactly the company name and the current year, which is a common pattern. Your boss asks you to implement a strict password policy to prevent this from happening again.
You start by configuring the password policy in the domain controller through Group Policy. You set the minimum password length to 14 characters. You require complexity, meaning the password must include uppercase, lowercase, numbers, and symbols. You set the maximum password age to 90 days, so employees must change their password every three months. You set the password history to 24 to prevent reuse of the last 24 passwords. You also enable account lockout after 5 failed attempts to prevent brute-force attacks.
A few days later, you receive a call from a user who is frustrated because they cannot set their new password. They tried 'P@ssword2024!' but the system rejected it. You explain that their password is too similar to their previous one, which violates password history. They try 'MyD0g&MyC@t2024' and it works. The user is annoyed but you explain that it is for their safety.
Two months later, the company experiences a password spray attack from a malicious IP address. The attacker tries common passwords like 'Password123' against many users. Because of the account lockout policy, several user accounts get locked after 5 failed attempts. The security team notices the spike in lockouts and blocks the attacker's IP. The policy successfully prevented the attack from compromising any accounts.
During the next audit, the auditor asks to see the password policy documentation. You provide the Group Policy report and the logs showing the account lockout events. The auditor confirms that the policy complies with the company's security requirements and no further changes are needed. This scenario shows how a well-configured password policy can protect an organization from real threats and satisfy compliance requirements.
Common Mistakes
Believing that a password policy alone is sufficient security without MFA.
A strong password can still be phished, guessed through social engineering, or stolen from the server side. MFA adds a second layer that greatly reduces the risk of password-only attacks.
Always implement MFA alongside a strong password policy, especially for privileged accounts.
Setting the minimum password length too short, such as 8 characters.
An 8-character password can be cracked in a few hours by a modern GPU using offline brute-force or dictionary attacks. NIST now recommends a minimum of 14 characters for user-chosen passwords.
Set minimum password length to at least 14 characters, or better, encourage the use of long passphrases.
Requiring mandatory password changes every 30 days.
Frequent mandatory changes often lead to users choosing weaker passwords they can remember easily, or writing them down. NIST SP 800-63B no longer recommends periodic changes unless there is evidence of compromise.
Set maximum password age to 90 days or longer, and rely on MFA and detection of compromised credentials.
Not implementing an account lockout policy to prevent brute-force attacks.
Without a lockout, an attacker can make millions of guesses against a single account without being blocked, making brute-force attacks feasible.
Enable account lockout after 5 to 10 failed attempts, with a duration of 15 minutes or until an administrator resets it.
Allowing password reuse after only a few password changes.
If an old password was compromised, allowing reuse shortly after could let an attacker keep using it. A high password history value (e.g., 24) forces users to create fresh passwords.
Set password history to require at least 10 to 24 unique passwords before any can be reused.
Using complexity requirements alone without length requirements.
A complex but short password like 'P@ss1' is still weak. Attackers use rules that substitute characters. Length is far more important than complexity for entropy.
Require both length (e.g., 14 characters) and complexity, but prioritize length. Consider allowing spaces for passphrases.
Assuming password policy applies automatically to all systems.
Password policy configured in Active Directory only applies to domain-joined Windows systems and domain accounts. It does not apply to local accounts, service accounts, or third-party applications unless explicitly integrated.
Audit all systems and services to ensure password policies are enforced across all entry points. Use separate policies for service accounts (e.g., long random passwords with no expiry).
Exam Trap — Don't Get Fooled
{"trap":"A question asks for the best password policy to prevent brute-force attacks, and one answer option is 'Maximum password age of 30 days' while another is 'Account lockout after 5 failed attempts'. Learners often pick the password age option because they think changing passwords frequently stops attackers.","why_learners_choose_it":"Learners remember that changing passwords regularly is a good security practice and assume it directly stops brute-force attempts.
They forget that brute-force attacks happen continuously over a short period, and without a lockout, an attacker can still succeed before the password expires.","how_to_avoid_it":"Remember that brute-force attacks are prevented by account lockout, not password expiration. The lockout stops the attempt real-time.
Password expiration only reduces the window of use if the password was already compromised. When you see 'brute-force attack' in the question, think 'lockout threshold' and 'lockout duration'."
Commonly Confused With
Password policy defines the rules for creating and managing passwords (length, complexity, age, history). Account lockout policy defines what happens when someone enters the wrong password too many times (threshold, duration, reset counter). They are separate but related security controls often configured together in Group Policy.
Password policy says your password must be 14 characters long. Account lockout policy says after 5 failed logins, your account is locked for 15 minutes.
Password complexity is a specific component of password policy that mandates the use of characters from different categories (uppercase, lowercase, digits, non-alphanumeric). Password policy is the broader set of rules that includes complexity but also covers length, age, history, and lockout.
Password policy includes a rule that says 'must include a number and a symbol.' That is the complexity requirement.
Password policy governs just the password. MFA adds a second authentication factor (e.g., a code from a phone app or a fingerprint). They are complementary: a strong password policy reduces the risk of password compromise, but MFA protects against any single factor being stolen.
Your password policy requires a strong password, but MFA means you also need a code from your phone to log in. Both together are stronger than either alone.
PAM is a broader strategy for managing and monitoring privileged accounts (like administrator accounts). It often includes password policy but also includes session recording, just-in-time elevation, and automated password rotation for those accounts. Password policy applies to all users, while PAM focuses on high-risk accounts.
Password policy says all passwords must be 14 characters. PAM says administrator passwords are automatically rotated every 24 hours and sessions are recorded.
A password policy is a set of rules. A password vault is a tool that stores and generates passwords securely. The policy may recommend or require the use of a password vault, but they are different concepts.
The policy says 'use a unique password for each site.' The password vault is the tool you use to actually create and store those unique passwords.
Step-by-Step Breakdown
Define policy objectives
Determine what the password policy should achieve. Is the goal to comply with regulations (PCI-DSS, HIPAA), to reduce the risk of unauthorized access, or both? This step sets the security baseline and determines which parameters are mandatory.
Set minimum password length
Choose a minimum length based on current best practices. NIST recommends at least 14 characters for user-chosen passwords. Longer passwords increase entropy and make brute-force attacks significantly harder. This is the single most important parameter.
Configure password complexity requirements
Require passwords to contain at least three of the four character types: uppercase, lowercase, digits, and symbols. This prevents users from using simple patterns like all lowercase words. However, prioritize length over complexity; a long passphrase (e.g., 'correct horse battery staple') is often better than a short complex string.
Set password history and minimum age
Define a history count (e.g., 24) to prevent reuse of previous passwords. Set a minimum password age (e.g., 1-3 days) so users cannot immediately cycle through several passwords to bypass the history requirement. This encourages actual password changes.
Define password expiration (maximum age)
Set the maximum password age (e.g., 90 days) if required by compliance. Modern guidance from NIST suggests that frequent forced changes are not necessary if MFA is used, but many frameworks still require it. Choose a balance between security and user convenience.
Configure account lockout policy
Set the lockout threshold (e.g., 5 to 10 failed attempts), lockout duration (e.g., 15 minutes or until admin reset), and the reset counter (e.g., 15 minutes). This prevents online brute-force attacks by disabling the account after too many failures.
Enforce the policy using technical controls
Implement the policy through Group Policy on Windows Active Directory, through cloud identity platforms (Microsoft Entra ID, AWS IAM), or through directory services like LDAP. Configure the settings and test them on a pilot group before rolling out to the entire organization.
Educate users and document the policy
Communicate the policy to all users with clear instructions and examples. Provide resources such as a password manager if allowed. Document the policy formally, including exceptions (e.g., service accounts) and the process for resetting forgotten passwords.
Monitor and audit compliance
Regularly review logs for lockout events, failed login attempts, and password change patterns. Use tools to detect weak passwords (e.g., password spraying) and enforce banned password lists. Periodically reassess the policy against evolving threats and standards.
Practical Mini-Lesson
To implement a strong password policy in a real-world Windows Active Directory environment, you need to understand Group Policy. Open the Group Policy Management Console (GPMC) and create a new GPO or edit the Default Domain Policy. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy. Here you will find the key settings.
Set 'Enforce password history' to 24. This means the system remembers the last 24 passwords, and users cannot reuse any of them. Set 'Maximum password age' to 90 days if required by compliance, or consider setting it higher (e.g., 365 days) if MFA is enforced across the board. Set 'Minimum password age' to 3 days to prevent rapid password cycling. Set 'Minimum password length' to 14 characters. This prevents extremely weak passwords and forces users to think of longer phrases.
For complexity, enable 'Password must meet complexity requirements.' This requires passwords to contain characters from at least three of the four categories: uppercase, lowercase, numbers, and symbols. However, you must be aware that this setting can annoy users and lead to patterns like 'P@ssword1!' that are actually predictable. Some organizations disable complexity and instead rely on a long minimum length and a custom banned password list.
For account lockout, navigate to Account Lockout Policy within the same node. Set 'Account lockout threshold' to 5 invalid logon attempts. Set 'Account lockout duration' to 15 minutes. Set 'Reset account lockout counter after' to 15 minutes. These settings stop an attacker from trying thousands of passwords. However, be careful: a very low threshold (e.g., 3) can cause many support calls for legitimately forgotten passwords.
For Microsoft Entra ID (cloud), the policy is configured in the Microsoft 365 admin center or via the Entra admin center under 'Protection' > 'Authentication methods' > 'Password protection'. You can configure a custom banned password list, turn on password protection for on-premises AD, and set lockout policies. One major difference from on-prem is that Entra ID does not automatically enforce password expiration for managed users; you must configure it explicitly.
A common mistake when implementing password policy is to forget about service accounts. Service accounts often need very long, complex passwords that never expire for the service to keep running. You should create a separate Fine-Grained Password Policy (FGPO) for service accounts with a longer maximum age (e.g., 365 days) and a long, randomly generated password. In Active Directory, FGPOs allow you to apply different policies to different security groups, overriding the default domain policy.
Another real-world consideration is integration with password managers. If your organization allows password managers, you can set a high minimum length (e.g., 20 characters) because the user does not need to memorize it. If you do not allow password managers, users will resist very long passwords. You need to balance security with usability. Many administrators now recommend using passphrases, like 'I-Love-Coffee-On-Rainy-Days!', which are easy to remember and long enough to be secure.
Finally, you must test your policy. Roll it out to a small group first and check for issues. Users may be locked out because they rely on old cached credentials. You may need to educate them about how to reset their password. Also, verify that any federated applications (e.g., Salesforce, Slack) that rely on your identity provider are not breaking due to the new policy. If they use their own password store, the policy may not apply, and you must secure those applications separately.
Password Complexity Requirements Across Modern Frameworks
Password complexity requirements form the bedrock of identity and access management across every major cloud platform and operating system. In the context of AWS SAA, Azure AZ-104, and CompTIA Security+, complexity rules dictate the minimum number of uppercase letters, lowercase letters, digits, and special characters that a password must contain. For Microsoft environments (MD-102, MS-102), Group Policy objects enforce complexity through the built-in Password must meet complexity requirements setting, which mandates at least three of the four character categories.
This is not merely a checkbox; it directly reduces the effectiveness of brute-force and dictionary attacks by expanding the effective keyspace. For example, an 8-character password drawn only from lowercase letters has 26^8 (roughly 208 billion) possibilities, but one requiring uppercase, lowercase, digits, and special characters raises the pool to 95^8 (over 6.6 quadrillion), making rainbow table attacks exponentially harder.
In the CISSP domain, complexity is paired with the concept of entropy; each additional character type increases Shannon entropy, a key metric for assessing password strength. Cloud providers like Azure (SC-900) enforce complexity via Conditional Access policies and Azure AD password protection, which also checks against known compromised password lists. CySA+ and A+ exams often test the trade-off: extreme complexity can lead to password reuse or written-down passwords, weakening overall security.
The NIST SP 800-63B guidelines have evolved to emphasize length over complexity, but the exam objectives for Security+ and CC still require candidates to know the traditional complexity rules. Implementing complexity in AWS IAM requires attaching a custom password policy to the account, setting the RequireUppercase, RequireLowercase, RequireNumbers, and RequireSymbols flags to true. In on-premises Active Directory (MD-102), complexity is enabled by default for domain controllers, but domain administrators can relax it via fine-grained password policies.
The key exam nuance is that complexity only prevents weak composition; it does not prevent common patterns like Password1! therefore, password history and expiration policies must be layered in. For the Azure 104 and MS-102 exams, remember that password complexity in Azure AD is enforced at the cloud level, and hybrid environments must sync these settings to on-premises via Azure AD Connect.
The CISSP exam may present a scenario where complexity reduces the likelihood of successful social engineering because attackers cannot predict the exact character set. In practice, organizations must balance complexity with usability; overly strict policies increase calls to the help desk. The 500-word focus here stresses that complexity alone is insufficient; it must be part of a layered defense including multi-factor authentication, account lockout thresholds, and periodic auditing.
The best approach documented in the NIST framework is to require a minimum of 12 characters with no mandatory complexity but to screen against common password lists. However, for the purposes of the listed exams, especially AWS SAA, Security+, and CC, the default complexity rules are considered a baseline control for any secure system. Complexity policies also intersect with password filters; custom password filter DLLs can be deployed in Windows Server to enforce business-specific bans, such as preventing passwords that contain the company name.
This is tested in the MD-102 exam under the security baselines. Ultimately, password complexity requirements remain a fundamental but evolving security control that every IT professional must understand deeply.
Password Expiration and History: Best Practices and Exam-Relevant Details
Password expiration and history policies dictate how often users must change their passwords and how many previous passwords are remembered to prevent reuse. In the CISSP and Security+ domains, password expiration (maximum password age) is traditionally set to 90 days, though modern recommendations from NIST SP 800-63B advise against mandatory periodic changes unless there is evidence of compromise. However, for the AWS SAA and Azure AZ-104 exams, knowing the default settings is critical: AWS IAM defaults to a 90-day password expiration with a 15-day warning period, while Azure AD does not enforce expiration by default but allows admins to set a custom policy.
The concept of password history (remembered passwords) typically stores between 3 and 24 previous passwords to directly prevent reuse. In a Windows domain (MD-102), the Enforce password history setting is configured via Group Policy and must be at least 10 for standard security baselines. The key exam trick: password expiration and history work together to stop rotation attacks where a user rapidly cycles through passwords to return to a favorite.
For example, if history is set to 12 and expiration to 90 days, a user cannot reuse any of the last 12 passwords for at least 3 years. This creates a practical barrier but also a usability pain point; users often append incremental numbers (e.g.
, Password01, Password02), which attackers can predict. The CompTIA CySA+ and A+ exams test how to audit this; security professionals must review event log ID 4724 (Windows) or CloudTrail logs (AWS) to detect password changes and ensure compliance. In AWS, the password policy can be configured via the AWS CLI or SDK; the update-account-password-policy command allows specifying MaxPasswordAge and PasswordReusePrevention (number of passwords remembered).
For Azure (SC-900), password expiration policies are set in the Azure AD blade under User settings, but the Password protection feature also blocks commonly used passwords. The MS-102 exam covers the new Microsoft Entra ID Password protection, which operates independently of expiration and uses a dynamic banned password list. The critical exam distinction: password expiration is weak against advanced persistent threats because an attacker who has already stolen the password will likely use it immediately, not wait.
Therefore, CISSP and Security+ emphasize that expiration is a compensating control, not a preventive one. The History policy, however, is strong against password reuse attacks where attackers try previously successfully guessed passwords from other services. In cloud environments, password history is often secondary because federated identity and MFA are more robust.
But for traditional domain-joined systems (A+ and MD-102), history is a core security requirement. The best practice for expiration: implement a risk-based approach where passwords expire only after a detected compromise, not on a fixed calendar. However, many exam questions still assume periodic expiration is a mandatory control.
For the cyber operations perspective (CySA+), analyzing password age outliers in a SIEM can indicate users with stale credentials that may be compromised. Password expiration policies also interact with lockout policies; if the expiration window is too short, users may lock themselves out by mistyping new complex passwords, leading to increased support tickets. Mastery of expiration and history policies is non-negotiable for the listed exams, as they appear in scenario-based questions about compliance, least privilege, and access control lifecycle.
Account Lockout Policies: Thresholds, Reset Timers, and Exam Scenarios
Account lockout policies are a direct defense against brute-force and password spraying attacks. These policies define the number of failed login attempts allowed before the account is locked (Account lockout threshold), how long the account remains locked (Account lockout duration), and how long after a failed attempt the counter resets (Reset account lockout counter after). In the Security+ and CySA+ exams, lockout thresholds are typically set to 3–5 attempts, duration to 15–30 minutes, and counter reset to 15–30 minutes.
For Windows domain environments (MD-102, MS-102), these settings are configured via Group Policy under Security Settings/Account Policies/Account Lockout Policy. A common mistake in exams is to set the lockout threshold too high (e.g.
, 10–20 attempts), which allows a dictionary attack to try many passwords before locking. Conversely, a threshold too low (1–2) can cause a denial of service for legitimate users. The Azure AD and Microsoft 365 environments (SC-900, MS-102) implement smart lockout, which adapts the lockout threshold based on the user's location and device; this is a key differentiator for exam questions.
Smart lockout prevents brute-force attacks from malicious sources while allowing legitimate attempts from familiar IPs. In AWS IAM, there is no native account lockout for user passwords; instead, AWS recommends using MFA and CloudTrail monitoring to detect brute-force attempts. However, the AWS Directory Service can enforce lockout policies via managed Active Directory.
The CISSP exam tests the balance between security and usability; a 15-minute lockout is sufficient to discourage attackers while allowing users to regain access after a short pause. The Reset account lockout counter after setting is often overlooked but critical: if the counter resets only after a long period, an attacker can spread attempts across that window, but a shorter window gives an attacker more attempts per hour. For example, a 30-minute reset window with a threshold of 3 attempts means an attacker can try 6 passwords per hour.
Best practice is to set the reset counter equal to the lockout duration. The CompTIA A+ exam includes lockout policies as part of the troubleshooting domain; a user who cannot log in due to a lockout is a common support scenario. The proper procedure is to unlock the account from Active Directory Users and Computers (ADUC) or via Azure AD admin center, not by changing the password prematurely.
In hybrid environments (AZ-104), lockout policies can be synced from on-premises to Azure AD, but smart lockout runs separately. Another exam angle: lockout policies do not protect against credential harvesting attacks where the password is stolen via phishing; they only prevent online guessing. Therefore, lockout must be combined with password history and MFA for layered defense.
The CySA+ exam may present a scenario where an attacker performs a slow password spraying attack over weeks to stay under the lockout threshold; in that case, the proper response is to increase monitoring and implement anomaly detection. For cloud environments (AWS SAA and Azure 104), lockout policies in managed services like RDS or Azure SQL use their own mechanisms. Account lockout is a fundamental control that appears in every listed certification exam, usually in the context of defending against authentication attacks.
The correct settings must be memorized for the exam, even though real-world practices may differ.
Cloud vs. On-Premises Password Policies: Key Differences for AWS, Azure, and Active Directory
The implementation and management of password policies differ significantly between cloud-native platforms like AWS and Azure, and on-premises Windows Active Directory. This distinction is heavily tested in AWS SAA, Azure AZ-104, MD-102, MS-102, and SC-900 exams. In traditional on-premises Active Directory (AD), password policies are enforced at the domain level via Group Policy Objects (GPO) and apply to all domain users.
AD supports fine-grained password policies (FGPP) starting in Windows Server 2008, allowing different policies for different groups (e.g., admins vs. standard users). The GPO settings include minimum password length (default 7), complexity required (default enabled for domain), history (24 remembered), and expiration (42 days for Windows Server 2016+).
In contrast, AWS IAM password policy is account-wide and applies to all IAM users within the AWS account. You can set the minimum length (default 8), require at least one uppercase, lowercase, number, non-alphanumeric character, password expiration (default 90 days), and prevent password reuse (default 3). AWS does not have a native account lockout policy for IAM users, which surprises many exam takers; however, you can use a custom solution with Lambda and CloudTrail.
Azure AD (Entra ID) password policy is also account-level, but it has additional features like Password protection, a global banned password list that prevents common passwords like Password123, and custom banned password lists. Azure AD does not enforce password expiration by default as of 2021; this change is a frequent exam point. The MS-102 exam covers the new Microsoft 365 password policy which is cloud-only for users synced from on-premises if the cloud password is used directly.
For hybrid environments (AZ-104, MS-102), password policies from on-premises AD are synced via Azure AD Connect, but there are conflicts: if an on-premises password expires, the user cannot use a cloud service until they change it on-premises. This is a common exam scenario. Cloud providers also offer additional hardening: AWS allows you to set a password policy that forbids the user's own user name (used to prevent password=username attacks).
Azure AD blocks over 1,000 common passwords and allows custom lists. Another critical difference is password writeback: in Azure, you can write password changes from the cloud back to on-premises AD using Azure AD Connect, which is required for self-service password reset (SSPR). This is covered in SC-900 and MS-102.
The certifications test the fact that cloud password policies are more dynamic and can be updated via API or portal, while on-premises policies require GPO refresh or direct domain controller changes. For AWS SAA, the exam may ask how to enforce a minimum length of 12 characters across all IAM users; the answer is to update the account password policy. For Azure AZ-104, a question might focus on why a user cannot use a password that meets complexity but contains the word Contoso; the answer is the custom banned password list.
The CompTIA Security+ and CySA+ exams use generic terms but also reference cloud-specific policies like smart lockout and password protection. The A+ domain covers local user password policies in Windows workgroup environments, which are simpler and use Local Security Policy. Understanding the specific mechanics of each platform's password policy is essential for exam success.
The trend is toward cloud-native controls that are more intelligent and adaptive, while on-premises policies remain more static but offer fine-grained delegation. For any certification candidate, the ability to compare and contrast these implementations is a frequent multi-choice question format.
Troubleshooting Clues
User cannot create password that meets complexity but still fails
Symptom: User attempts to set a password that has uppercase, lowercase, number, and symbol but the system rejects it with a generic complexity failure message.
The password likely fails due to an additional constraint like the password contains the user's full name, a banned substring, or part of the user's email address. AWS and Azure block these by default. Also, length may be insufficient (e.g., policy requires 14 characters but user typed 8).
Exam clue: Exam questions often present this scenario and ask what to check: look for custom banned password lists or substring restrictions in the password policy.
Account locked after a few legitimate authentication attempts
Symptom: User's account locks after 2-3 failed attempts despite the lockout threshold being set to 5. Users report that they were not aware of multiple failures.
The Reset account lockout counter after setting may be set to a very short time (e.g., 1 minute), causing the counter to reset quickly but also making it easy to trigger lockout if attempts are spread across days. Or there may be automated services using old credentials that are retrying constantly.
Exam clue: This is a classic Security+ and CySA+ troubleshooting scenario. Check for service accounts or scheduled tasks using stale passwords.
Password change fails in Azure AD hybrid environment
Symptom: User tries to change password via Azure AD SSPR but receives 'Your password was changed on-premises, try again' error.
The user's account is synced from on-premises AD, and Azure AD is not the authority for password changes. The password must be changed on-premises first, then synced up. Writeback may not be enabled.
Exam clue: Tested in AZ-104 and MS-102: the key is remembering that for federated or synced users, password changes must be done at the source (on-premises) unless Password writeback is configured.
AWS IAM password policy not enforced for all users
Symptom: Some IAM users have accounts with passwords shorter than the minimum set in the password policy.
AWS IAM password policy applies to new passwords at creation time. Existing users are not forced to update their passwords automatically. Also, the policy does not apply to users using access keys or those belonging to groups with other policies.
Exam clue: This is a trick in AWS SAA: know that password policy affects password creation, not existing passwords. To enforce, an admin must force a password reset or rotate all passwords.
Password history bypass via quick password rotation
Symptom: User changes password multiple times in one day to reach the same old password, proving the history setting is ineffective.
If the PasswordReusePrevention or Enforce password history setting is set to 12, but the user changes the password 13 times in a row, the 13th change can reuse the original password because only the last 12 are remembered. This is a known abuse that the policy must be paired with a Minimum password age setting (often 1-2 days) to prevent rapid cycling.
Exam clue: Security+ and CISSP: question asks 'what is missing to prevent password cycling?' The answer is Minimum password age.
Group Policy applied but password policy unchanged for AD users
Symptom: After setting a password policy via GPO, users still can use weak passwords that violate the policy. gpresult shows the GPO is applied.
Password policies in Active Directory are enforced at the domain level, not through GPO for Group Policy objects that are not at the Default Domain Policy or a Fine-Grained Password Policy. The 'Password Policy' GPO settings only override if they are applied to the domain OU. The default domain policy must be edited, or a FGPP must be created and linked.
Exam clue: Tested in MD-102 and MS-102: remember that password policy is a domain security setting, not a normal GPO setting. The correct approach is to edit the Default Domain Policy or use Active Directory Administrative Center for FGPP.
User locked out but lockout duration set to '0' (until admin unlocks)
Symptom: A user account becomes locked after failed attempts but never auto-unlocks even after hours. Admin checks settings: lockout duration is 0.
A lockout duration of 0 means the account remains locked until an administrator manually unlocks it. This is often used for high-security accounts but can cause prolonged user lockout. The setting is typically changed to 15-30 minutes for production.
Exam clue: This is a direct question in Security+ and A+ exams: 'What does a lockout duration of 0 mean?' It means indefinite lockout requiring admin action.
Azure AD Password Protection blocking legitimate passwords
Symptom: Users report that strong passwords like 'Summer2024!' are rejected even though they meet complexity.
Azure AD Password Protection maintains a global banned password list that includes common patterns like seasons + year. 'Summer2024!' is likely on the banned list because attackers commonly use seasonal-year combinations. Also, the admin may have added a custom banned list that blocks company name or location.
Exam clue: SC-900 and MS-102 exam questions will ask why a seemingly strong password is blocked. The answer is the global or custom banned password list.
Memory Tip
Remember 'P.L.A.C.E.H.' for password policy: P (Password length - at least 14), L (Lockout - after 5 fails), A (Age - 90 days max), C (Complexity - 3 of 4 types), E (Enforce history - 24), H (Host MFA - don't forget it).
Learn This Topic Fully
This glossary page explains what Password policy means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CISSPCISSP →CS0-003CompTIA CySA+ →SY0-701CompTIA Security+ →MD-102MD-102 →MS-102MS-102 →AZ-104AZ-104 →SC-900SC-900 →ISC2 CCISC2 CC →SAA-C03SAA-C03 →220-1101CompTIA A+ Core 1 →220-1102CompTIA A+ Core 2 →CDLGoogle CDL →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Quick Knowledge Check
1.A company wants to prevent users from reusing their last 12 passwords. They also want to ensure a user cannot change their password multiple times in one day to quickly reuse an old password. What additional setting must be configured?
2.In AWS IAM, which of the following is NOT configurable in the account password policy?
3.A user in a hybrid Azure AD environment cannot change their password using the Microsoft 365 portal and receives an error that the password must be changed on-premises. What is the most likely reason?
4.An administrator configures a password policy with a lockout threshold of 3, lockout duration of 30 minutes, and reset counter after 30 minutes. An attacker attempts password spraying with one guess per user every 31 minutes. How many guesses can the attacker try per user in 24 hours?
5.Which command is used to set the default domain password policy in an on-premises Active Directory environment?
6.A password policy includes 'Minimum password length 8, require complexity, maximum password age 90 days, password history 12, lockout threshold 5, lockout duration 15 min.' Which of the following attacks is this policy LEAST effective against?
7.In Azure AD (Entra ID), which setting is recommended by Microsoft as of 2021 regarding password expiration?
Frequently Asked Questions
What is the best minimum password length recommended by current standards?
NIST SP 800-63B recommends a minimum of 14 characters for user-chosen passwords. This provides a good balance between security and usability.
Should I force users to change passwords every 30 days?
Modern best practice from NIST says no, unless there is evidence of compromise. Frequent forced changes lead to weaker passwords. A 90-day or longer rotation, combined with MFA, is often more secure.
Does a password policy in Active Directory apply to local accounts on computers?
No, a domain-level password policy only applies to domain user accounts. Local accounts on computers must be managed separately, often through local security policies or group policy preferences.
What is the difference between password policy and account lockout policy?
Password policy governs the rules for creating and managing passwords (length, complexity, age, history). Account lockout policy governs what happens after too many failed login attempts (lockout threshold, duration). Both are configured in the same Group Policy section.
Can I apply different password policies to different groups of users?
Yes, in Active Directory you can use Fine-Grained Password Policies (FGPOs) to apply different policies to different security groups. Windows Server 2008 and later support FGPOs. In Microsoft Entra ID, you can configure policy per user or group through authentication methods.
What happens if a user's password expires and they do not change it?
The user will be forced to change their password at next login, and they cannot access any resources until they do. Some systems may allow a grace period, but generally the account is disabled for interactive logon until the password is reset.
Is it safe to write down passwords if they are kept in a secure place?
Most password policies prohibit writing passwords down. If passwords must be recorded, they should be stored in a secure password vault with encryption and access control, not on a sticky note or a plain text file.
Summary
A password policy is a foundational security control that defines how users create, manage, and rotate their passwords. It includes parameters such as minimum length, complexity, history, expiration, and account lockout. While a strong password policy is essential, it must be part of a broader security strategy that includes multi-factor authentication, user education, and monitoring.
In IT certification exams, password policy appears across many domains, from access control and identity management to security operations. You must be able to apply best practices, configure policies, and troubleshoot issues. Remember that modern best practice prioritizes longer passwords over frequent changes, and that lockout policies are critical for preventing brute-force attacks.
For professionals, implementing a password policy requires balancing security with usability. Overly strict policies can lead to bad user behavior and increased support costs. The goal is to create a policy that provides adequate protection for the organization's data while minimizing friction for users. By mastering password policy, you help protect your organization from one of the most common attack vectors: weak credentials.