Password Policy: Minimum Password Age

Best practices for configuring Vista password policy settings

Man using laptop computer
Sigrid Olsson/PhotoAlto Agency RF Collections/Getty Images
by Tony Bradley, CISSP-ISSAP
A tech journalist and prolific author who specializes in network and internet security.
Updated March 22, 2019

In Windows Vista, the Minimum Password Age setting determines the period of time in days that a password can be used before the user must change it. You can set a password to expire anywhere between 1 and 999 days, or you can allow changes immediately by setting the minimum password age setting number of days to 0.

Minimum and Maximum Password Age

The Minimum Password Age setting must be lower than the Maximum Password Age setting unless the Maximum Password Age is set to zero, in which case the password never expires. If the Maximum password age is set to zero, the Minimum password age can be set to any value between 0 and 998.

Note: Setting the Maximum Password Age to ​a -1 has the same effect as setting it to zero—it never expires. Setting it to any other negative number is the same as setting it to Not Defined.

Password Best Practices

Best practices suggest setting a Maximum password age of 60 days. This way, there is a small window during which the password might be hacked and used. 

Setting a Minimum password age is useful in conjunction with Enforce Password History to prevent users from entering new passwords repeatedly to bypass Enforce Password History.

This information applies to Window Vista, Windows 8.1, Windows 8 and Windows 7, as well as to Windows Server 2008 R2 and Windows Server 2012 R2.