WinSecWiki > Security Settings > Account Policies > Password Policy > Maximum Age

Windows Maximum Password Age

This setting allows you to force users to change their password on a regular basis between one and 999 days, or if set to zero, the password never expires.

There is great disagreement on how and if this control should be used, and it all goes back to the human element. Some argue that since users do sometimes share their password, password expiration is the only way to at some point close the window of opportunity for the account to be used by someone else. Others make the point that frequently making users change their password encourages the selection of easy to guess passwords, writing passwords on post it notes and increases help desk support calls.

As you can see from my commentary on the upper level, I think you need to take a holistic approach to password policy that engages the humans involved as well as all of the configuration settings pertaining to password policy as well as account lockout policy.

An excellent discussion of password age with opinions expressed by all sides can be found at I’d tend to agree with the majority of comments which were on the side of disabling password expiration in favor of training users to select strong passwords and follow other good password practices. And if you are really worried about users exploiting passwords that have been shared with them, follow the tip in the meta filter discussion: when someone changes departments or roles, at that point force every one in the department to change their password.

Bottom line

For most commercial networks set it to 90+.

Back to top


Additional Resources