Windows Server 2008 "Password must meet complexity requirements"

Many of my students ask about why they can’t use a “simple” password in 2008 server, the reason is the default “Password” setting in 2008:

A default Windows Server 2008 installation has the “Password must meet complexity requirements” option enabled in the local policy. This will force the user to come up with a complex password. The new password must meet the following minimum requirements:

  • The password is at least six characters long.
  • The password contains characters from three of the following four categories:
    • English uppercase characters (from A through Z)
    • English lowercase characters (from a through z)
    • Base 10 digits (from 0 through 9)
    • Non-alphanumeric characters (for example: !, $, #, or %)
  • The password does not contain three or more characters from the user’s account name. If the account name is less than three characters long, this check is not performed because the rate at which passwords would be rejected would be too high. When checking against the user’s full name, several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes, hyphens, underscores, spaces, number signs (#), and tab characters. Each token that is three or more characters long is searched for in the password, and if it is present, the password change is rejected. For example, the name “Erin M. Hagens” would be split into three tokens: “Erin,” “M,” and “Hagens.” Because the second token is only one character long, it would be ignored. Therefore this user could not have a password that included either “erin” or “hagens” as a substring anywhere in the password. None of these checks are case-sensitive.

Leave a Reply

Your email address will not be published. Required fields are marked *