Password Complexity Requirements


This article describes the best practices and security considerations for the Password Must Meet Complexity Requirements security policy setting. Complexity requirements are enforced when passwords are changed or created.



Passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and meet complexity requirements.

Password Complexity Requirements

  1. Passwords may not contain the user's Account Name or Full Name.
  2. The password contains characters from three of the following categories:

  • At least 12 characters in length.
  • Uppercase letters
  • Lowercase letters
  • Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)
  • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.