Password Policy Generator
Turn your password rules into a written policy plus Linux PAM and Windows config.
Updated: June 26, 2026
From rules to ready-to-deploy policy
Choose your requirements — minimum length, character classes, expiry, history,
lockout and MFA — and this generator produces three things at once: a
plain-English policy you can drop into a handbook, a Linux
pam_pwquality configuration, and Windows Group Policy settings. It
saves IT admins from translating the same rules into three different formats by
hand.
Modern guidance: length over complexity
The biggest shift in password policy over the last decade is away from forced complexity and frequent expiry. NIST SP 800-63B now recommends:
- Favour length. A longer passphrase beats a short string of mixed symbols. Aim for a high minimum (12–16+).
- Don't force periodic expiry unless there's evidence of compromise — routine 90-day changes lead to weaker, predictable passwords.
- Screen against breached-password lists rather than imposing arbitrary composition rules.
- Require MFA. It defends accounts even when a password leaks.
The generator reflects this: set expiry to 0 to follow the no-forced-expiry guidance, and it will note that in the policy.
What you get for each platform
- Linux (PAM) —
pwquality.confsettings forminlen,minclassand per-class credits, plus a note for password history inpam.d. - Windows — Group Policy /
seceditvalues for length, complexity, max age, history size and lockout count.
Balance security and usability
Overly strict rules backfire: users write passwords down, reuse them, or append "1!" to meet requirements. A strong but usable policy — generous length, MFA, no pointless expiry — keeps accounts safe without driving bad habits. Help users meet the bar with our password generator and let them check strength with the strength checker.
Frequently asked questions
Should passwords expire every 90 days?
Modern guidance (NIST 800-63B) says no — forced periodic expiry leads to weaker, predictable passwords. Only force a change when there's evidence of compromise. Set expiry to 0 to follow this.
Is complexity (upper/lower/digit/symbol) still recommended?
Less than before. NIST favours length and breached-password screening over rigid composition rules. Some compliance frameworks still require complexity, so the generator lets you enable it when needed.
What config formats does it produce?
A plain-English policy summary, a Linux pam_pwquality configuration, and Windows Group Policy / secedit settings — all from the same set of rules.
Why require MFA in the policy?
Multi-factor authentication protects an account even if the password is stolen or guessed. It's one of the highest-impact controls you can mandate.
Enforce and manage credentials
A policy is only effective if it's enforced and backed by good tooling:
- Identity provider / SSO with MFA Centralise authentication, enforce password and MFA policy, and screen against breached credentials automatically.
- Enterprise password manager Let employees generate and store strong unique passwords so your length requirements are painless to meet.
Learn more
- Bcrypt vs SHA-256: Why You Don't Hash Passwords with SHA SHA-256 is fast — which is exactly why it's the wrong way to store passwords. Here's why bcrypt (or Argon2) wins, and how salting and cost factors work.
- How to Create a Strong Password (and Why Length Wins) Forget swapping letters for symbols. Here's what really makes a password strong — entropy, length, uniqueness — and the simple system that beats memorising rules.
- What Is Two-Factor Authentication (2FA)? Why a password alone isn't enough — how 2FA works, the difference between SMS codes, authenticator apps and hardware keys, and which to choose.
Related tools
- Password GeneratorCreate strong, random passwords with custom length and character sets — generated securely in your browser.
- Password Strength & Entropy CheckerMeasure a password's entropy in bits and estimate how long it would take to crack.
- GDPR Fine CalculatorEstimate the maximum GDPR penalty from annual turnover and infringement tier.
- Data Breach Cost EstimatorEstimate the financial impact of a data breach from records exposed and per-record cost.