ToolSec

Password Policy Generator

Turn your password rules into a written policy plus Linux PAM and Windows config.

Updated: June 26, 2026

From rules to ready-to-deploy policy

Choose your requirements — minimum length, character classes, expiry, history, lockout and MFA — and this generator produces three things at once: a plain-English policy you can drop into a handbook, a Linux pam_pwquality configuration, and Windows Group Policy settings. It saves IT admins from translating the same rules into three different formats by hand.

Modern guidance: length over complexity

The biggest shift in password policy over the last decade is away from forced complexity and frequent expiry. NIST SP 800-63B now recommends:

  • Favour length. A longer passphrase beats a short string of mixed symbols. Aim for a high minimum (12–16+).
  • Don't force periodic expiry unless there's evidence of compromise — routine 90-day changes lead to weaker, predictable passwords.
  • Screen against breached-password lists rather than imposing arbitrary composition rules.
  • Require MFA. It defends accounts even when a password leaks.

The generator reflects this: set expiry to 0 to follow the no-forced-expiry guidance, and it will note that in the policy.

What you get for each platform

  • Linux (PAM)pwquality.conf settings for minlen, minclass and per-class credits, plus a note for password history in pam.d.
  • Windows — Group Policy / secedit values for length, complexity, max age, history size and lockout count.

Balance security and usability

Overly strict rules backfire: users write passwords down, reuse them, or append "1!" to meet requirements. A strong but usable policy — generous length, MFA, no pointless expiry — keeps accounts safe without driving bad habits. Help users meet the bar with our password generator and let them check strength with the strength checker.

Frequently asked questions

Should passwords expire every 90 days?

Modern guidance (NIST 800-63B) says no — forced periodic expiry leads to weaker, predictable passwords. Only force a change when there's evidence of compromise. Set expiry to 0 to follow this.

Is complexity (upper/lower/digit/symbol) still recommended?

Less than before. NIST favours length and breached-password screening over rigid composition rules. Some compliance frameworks still require complexity, so the generator lets you enable it when needed.

What config formats does it produce?

A plain-English policy summary, a Linux pam_pwquality configuration, and Windows Group Policy / secedit settings — all from the same set of rules.

Why require MFA in the policy?

Multi-factor authentication protects an account even if the password is stolen or guessed. It's one of the highest-impact controls you can mandate.

Enforce and manage credentials

A policy is only effective if it's enforced and backed by good tooling:

  • Identity provider / SSO with MFA Centralise authentication, enforce password and MFA policy, and screen against breached credentials automatically.
  • Enterprise password manager Let employees generate and store strong unique passwords so your length requirements are painless to meet.

Learn more

Related tools