Users can sign in to their user accounts created on Windows, whether a Local or a Microsoft account, through their Personal Identification Number (PIN), as opposed to entering their entire lengthy passwords. This sign-in method has long been a part of Windows Hello in the Windows operating system.
The default state of the PIN is for simple numerical characters between 4 and 127. However, this can be changed to keep the quick sign-in option (PIN) while increasing the security of your computer.
Before we begin showing you how to manage the different properties of your Windows Hello PIN, it is important to understand why you should make it a bit more complex.
Table of Contents
How a Complex PIN Enhances Security
When we talk of a “complex PIN,” we do not just mean a lengthy one. It means that it could have special characters, numbers, a minimum length, and both upper and lower-case alphabets.
Let’s assume that you have configured a 4-digit regular PIN on your Windows computer that only includes numbers. In the case of a Brute force attack where an algorithm tries all combinations for your PIN, it will normally take the software to crack your code rather quickly.
In an example, it was found that it takes a robot only 20 hours to insert all 10,000 possible PIN combinations with 4 digits. However, if the number was raised from 4 digits to 6 digits, it will increase the time taken to crack the PIN significantly.
Now imagine you added alphabets too, and special characters, and increased the minimum PIN length to 8. The number of possible combinations would be too much for an algorithm to execute, hence enhancing your system’s security in case of a Brute force attack.
That said, you may be wondering why not configure a regular password and not a complex PIN since it becomes the same thing.
Well, PINs are local to the device. Meaning, if you are using a Microsoft account to sign in, and your PIN is compromised, the attacker would only be able to access your PC. However, if your password is compromised, the attacker will gain access not only to your account but all other devices that you are signed in to.
Therefore, it is important to use a PIN and configure it to be a little more complex than standard on a Windows PC.
How to Set Up Windows Hello PIN
Before we begin to manage the characteristics of the PIN, let us show you how you can create a sign-in PIN for your account on Windows 11/10. Often users prefer creating this right after a fresh Windows installation, as it is more convenient to sign in to their accounts. Plus, a PIN is much easier to remember.
Follow the steps below to configure a PIN sign-on:
-
Navigate to the following:
Settings app >> Accounts >> Sign-in options
-
Click “PIN (Windows Hello).”
-
Click “Set up.”
-
Enter your password for verification.
-
Enter and confirm your new PIN and click Ok.
Note that the PIN should be at least 4 digits long if you have left the settings to their default.
You may also check the box next to “Include letters and symbols” to make the PIN alpha-numeric.
You have now successfully configured the Windows PIN Sign-on. If at any point you want to change or remove the PIN, simply navigate back to the Sign-in Options settings page and click on the given options.
How to Manage Windows Hello PIN Complexity using Group Policy
When configuring the Windows Hello PIN, a user is presented with minimal options to change. For example, all the options they have are the lengths of the PIN, and whether to make it alpha-numeric.
However, using the Group Policy Editor in Windows, you can change the requirements for which an essential PIN should be.
If you are using the Windows Home edition, then you will need to explicitly download and install the Group Policy Editor.
There are several options you can configure from the Group Policy Editor to manage your PIN requirements. We have listed and discussed the different Group Policies that you can control to make your system more secure through PIN complexity.
First, open the Group Policy Editor by typing in “gpedit.msc” in the Run Command box, then navigate to the following from the left pane:
Computer Configuration >> Administrative Templates >> System >> PIN Complexity
You are then presented with a number of options to configure.
Let’s cover each Group Policy one by one so you understand what they are used for and how to configure them.
Require Digits
Enabling this option makes it mandatory for the user to use at least one digit in the PIN. Previously, by checking the box next to Include letters and symbols, users could create a PIN entirely out of alphabets. A sysadmin can make sure users insert a number into their PIN to make it more secure by enabling this policy.
Follow these steps to enable the requirement of digits inside a PIN:
-
Double-click the “Require digits” Group Policy.
-
Select “Enabled” and click Apply and Ok.
-
Run the following cmdlet in an elevated Command Prompt to enforce the changes.
GPUpdate /Force
Configuring a new PIN will now make the use of digits mandatory.
To disable this property, all you must do is Disable or Not Configure the policy.
Require Lowercase Letters
As the title depicts, this option lets the users ensure that there is at least one lowercase letter in the PIN that is created. You can enable this by following these steps:
-
Double-click the “Require lowercase letters” Group Policy.
-
Select “Enabled” and click Apply and Ok.
-
Run the following cmdlet in an elevated Command Prompt to enforce the changes.
GPUpdate /Force
Maximum PIN Length
By enabling this option, you can set the maximum length of the characters that can be used by a user in a PIN. However, the range must be between 4 and 127, as permitted by Windows.
If you enter a number below 4, the following error is given:
Similarly, entering a number above 127 will result in the following:
Follow these steps to configure the maximum PIN length:
-
Double-click the “Maximum PIN length” Group Policy.
-
Select “Enabled” and then enter the maximum PIN length that you want to set.
-
Now click Apply and Ok.
-
Run the following cmdlet in an elevated Command Prompt to enforce the changes.
GPUpdate /Force
Minimum PIN length
This option sets the minimum character length to be allowed to users when setting their PIN. Setting this to a number greater than 4 would increase the security of the PIN by making it more complex.
Here is how to configure it:
-
Double-click the “Minimum PIN length” Group Policy.
-
Select “Enabled” and then enter the minimum PIN length that you want to set.
-
Now click Apply and Ok.
-
Run the following cmdlet in an elevated Command Prompt to enforce the changes.
GPUpdate /Force
Expiration
By enabling the Expiration Group Policy, the administrator can set a limit on a PIN to last. Meaning, any configured PIN will expire after the said number of days, and the user will then be prompted to create a new PIN.
The value can be set in the number of days from 0 to 730 (2 years). By default, the value is 0, which means that the PIN never expires.
An expired PIN simply needs changing, ensuring that the PIN is changed frequently. This makes your computer more secure in case a previous PIN combination was hacked/known.
-
Double-click the “Expiration” Group Policy.
-
Select “Enabled” and then enter the number of days after which the PIN will expire.
-
Now click Apply and Ok.
-
Run the following cmdlet in an elevated Command Prompt to enforce the changes.
GPUpdate /Force
If you wish to change this setting in the future and not make the PINs expire, simply select “Disabled” or “Not Configured” from the Group Policy.
History
The History Group Policy, when enabled, does not allow the user to reuse the pre-set last number of PINs. Meaning, a user cannot use their old PIN again as their new PIN. The number of unusable past PINs can be configured from 1 to 50. Here’s how:
-
Double-click the “History” Group Policy.
-
Select “Enabled” and then enter a number for PINs used in the past that are not allowed to be reused.
-
Now click Apply and Ok.
-
Run the following cmdlet in an elevated Command Prompt to enforce the changes.
GPUpdate /Force
Require Special Characters
By enabling this option, users are bound to use special characters in their PINs. It would only make the PIN more secure by increasing its complexity level. Here is a list of the special characters that are allowed: ! ” # $ % & ‘ ( ) * + , – . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ .
-
Double-click the “Require special characters” Group Policy.
-
Select “Enabled” and then click Apply and Ok.
-
Run the following cmdlet in an elevated Command Prompt to enforce the changes.
GPUpdate /Force
Require Uppercase Letters
Similar to “Require lowercase characters”, you can also configure user PINs to have uppercase characters as well. This will also increase the complexity of the PINs created.
-
Double-click the “Require uppercase letters” Group Policy.
-
Select “Enabled” and click Apply and Ok.
-
Run the following cmdlet in an elevated Command Prompt to enforce the changes.
GPUpdate /Force
These are all the PIN configurations that you can manage from the Group Policy settings.
However, if your system is registered with the Azure Active Directory of an enterprise, you can also use PIN recovery in case you forgot your PIN without losing any of your data.
Configuring PIN Recovery
Note that PIN recovery only works with devices registered with Azure Active Directory.
You can enable the “PIN Recovery” Group Policy early on to be able to recover your forgotten PIN. Here is how:
-
Open the Group Policy editor by typing in “gpedit.msc” in the Run Command box.
-
Navigate to the following from the left pane:
Computer Configuration >> Adninistrative Templates >> Windows Components >> Windows Hello for Business
-
Double-click the policy “Use PIN Recovery.”
-
Select “Enabled,” then click Apply and Ok.
-
Now run the following cmdlet in an elevated Command Prompt for the changes to take effect:
GPUpdate /Force
Closing Words
Using these options from the Group Policy Editor individually might not be as effective as using them in combination. For example, by making it mandatory for a PIN to have both upper and lowercase alphabets, as well as special characters and numerical characters, the PIN would become really complex to decode through social engineering.
However, a PIN should not be so complex that it cannot be differentiated from a regular password, as the main purpose of the Windows Hello PIN is to make it easier for people to log in to their accounts.