This step-by-step guide demonstrates how to configure password age in Windows 10 and Windows 11. It includes instructions for changing the maximum password age and minimum password age using Local Security Policy and the Command Prompt.
Changing password expiration security settings in Windows 10 and Windows 11 can help secure your home and small business devices by preventing the use of old passwords that may have leaked and encouraging your family and colleagues to follow good security practices.
Step-by-step instructions for configuring password age for local accounts in Windows 10 and 11
Prerequisites for changing password expiry in Windows
To change the minimum and maximum password age settings, you must be logged in as an administrator and have password expiration enabled.
Note: the methods below that use the Local Security Policy are only available in the Pro and Enterprise versions of Windows 10 and Windows 11. Home users can only use the Command Prompt instructions.
What is password expiration in Windows?
Password expiration forces users to change their passwords when the current password has reached a configured minimum or maximum age. Password expiration is disabled by default in Windows 10 and Windows 11.
What is the minimum password age?
The minimum password age is the number of days that a password must be used before a user is allowed to change it. This prevents users from changing passwords too frequently.
In Windows 10 and Windows 11, the minimum password age can be configured between 0 and 998 days. The minimum password age must always be less than the maximum password age, unless the latter is set to 0 (meaning that passwords never expire). Setting the minimum password age to 0 (the default) means that the user can change their password as frequently as they wish.
Configuring minimum password age using Local Security Policy
Follow these steps to set the minimum password age in Windows 10 and Windows 11:
- Right-click on the Start button and click Run
- Enter secpol.msc in the Run dialog and press OK
- Under Security Settings in the navigation tree in the left panel, click Account Policies and then Password Policy
- In the policy list in the right panel, double-click the Minimum password age policy
- Enter a value between 0 and 998 (the number of days that should apply) and then press OK to confirm the change
Configuring minimum password age using the Command Prompt
To configure the minimum password age for a user in Windows 10 or Windows 11 using the command Prompt or PowerShell, enter the following command: net accounts /minpwage:NUMBER
Replace NUMBER with the number of days for the minimum password age. Note that you must run this command using an elevated (administrative) Command Prompt or PowerShell session.
What is the maximum password age (expiry)?
The maximum password age specifies how many days a password can be used before the user is forced to change it. This can have a value between 0 and 999 days. If the maximum password age is set to zero, the password never expires. When set to 0, any minimum password age between 0 and 998 can be configured.
The default maximum password age in Windows 10 and Windows 11 is 42 days — however, it’s worth noting that this default only applies once password expiration is enabled — when it is disabled, the minimum and maximum settings are ignored and passwords will never expire.
Configuring maximum password age using Local Security Policy
The steps for setting the maximum password age are largely the same, except you change the Maximum password age (with a value between 0 and 999) policy instead of the Minimum password age policy in the Local Security Policy editor.
Configuring maximum password age using the Command Prompt
To set the maximum password age from the Command Prompt or PowerShell, enter the following command in an elevated (administrative) prompt: net accounts /maxpwage:NUMBER
Again, replace NUMBER with the number of days you want to set for the maximum password age.
Use cases and practical scenarios
Configuring password age settings for local accounts in Windows 10 and Windows 11 is useful for home users and small businesses who do not use a Windows Domain to centralize the configuration of Windows security settings.
Setting password expiry limits ensures that old passwords that may have been part of a breach are not in continued use. Password expiry may also be a requirement for compliance with security standards such as Payment Card Industry Data Security Standard (PCI DSS), which stipulates that user passwords must be changed every 90 days.
Recommendations and troubleshooting
You can view the currently configured minimum and maximum password ages from the Command Prompt or PowerShell by running the following command: net accounts
If you have recently changed your password policies, you can force users to change their passwords on the next login. If you want to reset the minimum and maximum password ages to their defaults, you can reset all Local Security Policy settings.
You should set your password expiry policies to reflect the requirements your business needs to meet legal regulations or industry standards.
However, be aware that forcing users to change their passwords too frequently may have the opposite of the intended effect. They may resort to simpler passwords, writing down passwords to remember them, or simply recycling old passwords and appending a number to the end (something attackers will certainly try as well).
Managing password security policies in critical enterprise environments
Configuring password age minimum and maximum in Windows 10 and Windows 11 can help with compliance, but is not considered best practice, and may lead to a false sense of security for users.
Your IT infrastructure and the data it holds are critical to the survival of your business, and must be protected by robust security mechanisms including security and password policies. NinjaOne provides a unified endpoint management platform for managing your entire IT deployment, from servers to user devices, which lets you manage security settings and monitor for suspicious activity.
