How To Manage Windows PIN Complexity Settings

PIN Complexity Windows 11 10PIN Complexity Windows 11 10

Users can sign in to their user accounts created on Windows, whether a Local or a Microsoft account, through their Personal Identification Number (PIN), as opposed to entering their entire lengthy passwords. This sign-in method has long been a part of Windows Hello in the Windows operating system.

The default state of the PIN is for simple numerical characters between 4 and 127. However, this can be changed to keep the quick sign-in option (PIN) while increasing the security of your computer.

Before we begin showing you how to manage the different properties of your Windows Hello PIN, it is important to understand why you should make it a bit more complex.

How a Complex PIN Enhances Security

When we talk of a “complex PIN,” we do not just mean a lengthy one. It means that it could have special characters, numbers, a minimum length, and both upper and lower-case alphabets.

Let’s assume that you have configured a 4-digit regular PIN on your Windows computer that only includes numbers. In the case of a Brute force attack where an algorithm tries all combinations for your PIN, it will normally take the software to crack your code rather quickly.

In an example, it was found that it takes a robot only 20 hours to insert all 10,000 possible PIN combinations with 4 digits. However, if the number was raised from 4 digits to 6 digits, it will increase the time taken to crack the PIN significantly.

Now imagine you added alphabets too, and special characters, and increased the minimum PIN length to 8. The number of possible combinations would be too much for an algorithm to execute, hence enhancing your system’s security in case of a Brute force attack.

That said, you may be wondering why not configure a regular password and not a complex PIN since it becomes the same thing.

Well, PINs are local to the device. Meaning, if you are using a Microsoft account to sign in, and your PIN is compromised, the attacker would only be able to access your PC. However, if your password is compromised, the attacker will gain access not only to your account but all other devices that you are signed in to.

Therefore, it is important to use a PIN and configure it to be a little more complex than standard on a Windows PC.

How to Set Up Windows Hello PIN

Before we begin to manage the characteristics of the PIN, let us show you how you can create a sign-in PIN for your account on Windows 11/10. Often users prefer creating this right after a fresh Windows installation, as it is more convenient to sign in to their accounts. Plus, a PIN is much easier to remember.

Follow the steps below to configure a PIN sign-on:

  1. Navigate to the following:

    Settings app >> Accounts >> Sign-in options
  2. Click “PIN (Windows Hello).”

    Open PIN settings
    Open PIN settings
  3. Click “Set up.”

    Set up a new PIN
    Set up a new PIN
  4. Enter your password for verification.

    Enter your password 1
    Enter your password
  5. Enter and confirm your new PIN and click Ok.

    Note that the PIN should be at least 4 digits long if you have left the settings to their default.

    Set up a PIN
    Set up a PIN

    You may also check the box next to “Include letters and symbols” to make the PIN alpha-numeric.

You have now successfully configured the Windows PIN Sign-on. If at any point you want to change or remove the PIN, simply navigate back to the Sign-in Options settings page and click on the given options.

Change or remove PIN
Change or remove PIN

How to Manage Windows Hello PIN Complexity using Group Policy

When configuring the Windows Hello PIN, a user is presented with minimal options to change. For example, all the options they have are the lengths of the PIN, and whether to make it alpha-numeric.

However, using the Group Policy Editor in Windows, you can change the requirements for which an essential PIN should be.

If you are using the Windows Home edition, then you will need to explicitly download and install the Group Policy Editor.

There are several options you can configure from the Group Policy Editor to manage your PIN requirements. We have listed and discussed the different Group Policies that you can control to make your system more secure through PIN complexity.

First, open the Group Policy Editor by typing in “gpedit.msc” in the Run Command box, then navigate to the following from the left pane:

Computer Configuration >> Administrative Templates >> System >> PIN Complexity

You are then presented with a number of options to configure.

PIN complexity Group Policy settings
PIN complexity Group Policy settings

Let’s cover each Group Policy one by one so you understand what they are used for and how to configure them.

Require Digits

Enabling this option makes it mandatory for the user to use at least one digit in the PIN. Previously, by checking the box next to Include letters and symbols, users could create a PIN entirely out of alphabets. A sysadmin can make sure users insert a number into their PIN to make it more secure by enabling this policy.

Follow these steps to enable the requirement of digits inside a PIN:

  1. Double-click the “Require digits” Group Policy.

    Require digits
    Require digits
  2. Select “Enabled” and click Apply and Ok.

    Enable mandatory digits in PIN
    Enable mandatory digits in PIN
  3. Run the following cmdlet in an elevated Command Prompt to enforce the changes.

    GPUpdate /Force
    Update Group Policy enforcement
    Update Group Policy enforcement

Configuring a new PIN will now make the use of digits mandatory.

To disable this property, all you must do is Disable or Not Configure the policy.

Require Lowercase Letters

As the title depicts, this option lets the users ensure that there is at least one lowercase letter in the PIN that is created. You can enable this by following these steps:

  1. Double-click the “Require lowercase letters” Group Policy.

    Require lowercase letters
    Require lowercase letters
  2. Select “Enabled” and click Apply and Ok.

    Make a lowercase alphabet mandatory in PIN
    Make a lowercase alphabet mandatory in PIN
  3. Run the following cmdlet in an elevated Command Prompt to enforce the changes.

    GPUpdate /Force
    Update Group Policy enforcement
    Update Group Policy enforcement

Maximum PIN Length

By enabling this option, you can set the maximum length of the characters that can be used by a user in a PIN. However, the range must be between 4 and 127, as permitted by Windows.

If you enter a number below 4, the following error is given:

Error prompt for PIN length below 4
Error prompt for PIN length below 4

Similarly, entering a number above 127 will result in the following:

Error prompt for PIN length greater than 127
Error prompt for PIN length greater than 127

Follow these steps to configure the maximum PIN length:

  1. Double-click the “Maximum PIN length” Group Policy.

    Maximum PIN length
    Maximum PIN length
  2. Select “Enabled” and then enter the maximum PIN length that you want to set.

    Configure maximum PIN length
    Configure maximum PIN length
  3. Now click Apply and Ok.

  4. Run the following cmdlet in an elevated Command Prompt to enforce the changes.

    GPUpdate /Force
    Update Group Policy enforcement
    Update Group Policy enforcement

Minimum PIN length

This option sets the minimum character length to be allowed to users when setting their PIN. Setting this to a number greater than 4 would increase the security of the PIN by making it more complex.

Here is how to configure it:

  1. Double-click the “Minimum PIN length” Group Policy.

    Minimum PIN length
    Minimum PIN length
  2. Select “Enabled” and then enter the minimum PIN length that you want to set.

    Configure minimum PIN length
    Configure minimum PIN length
  3. Now click Apply and Ok.

  4. Run the following cmdlet in an elevated Command Prompt to enforce the changes.

    GPUpdate /Force
    Update Group Policy enforcement
    Update Group Policy enforcement

Expiration

By enabling the Expiration Group Policy, the administrator can set a limit on a PIN to last. Meaning, any configured PIN will expire after the said number of days, and the user will then be prompted to create a new PIN.

The value can be set in the number of days from 0 to 730 (2 years). By default, the value is 0, which means that the PIN never expires.

An expired PIN simply needs changing, ensuring that the PIN is changed frequently. This makes your computer more secure in case a previous PIN combination was hacked/known.

  1. Double-click the “Expiration” Group Policy.

    PIN Expiration policy
    PIN Expiration policy
  2. Select “Enabled” and then enter the number of days after which the PIN will expire.

    Configure a PIN to expire
    Configure a PIN to expire
  3. Now click Apply and Ok.

  4. Run the following cmdlet in an elevated Command Prompt to enforce the changes.

    GPUpdate /Force
    Update Group Policy enforcement
    Update Group Policy enforcement

If you wish to change this setting in the future and not make the PINs expire, simply select “Disabled” or “Not Configured” from the Group Policy.

History

The History Group Policy, when enabled, does not allow the user to reuse the pre-set last number of PINs. Meaning, a user cannot use their old PIN again as their new PIN. The number of unusable past PINs can be configured from 1 to 50. Here’s how:

  1. Double-click the “History” Group Policy.

    History
    PIN usage History settings
  2. Select “Enabled” and then enter a number for PINs used in the past that are not allowed to be reused.

    Prevent reuse of old PINs
    Prevent reuse of old PINs
  3. Now click Apply and Ok.

  4. Run the following cmdlet in an elevated Command Prompt to enforce the changes.

    GPUpdate /Force
    Update Group Policy enforcement
    Update Group Policy enforcement

Require Special Characters

By enabling this option, users are bound to use special characters in their PINs. It would only make the PIN more secure by increasing its complexity level. Here is a list of the special characters that are allowed: ! ” # $ % & ‘ ( ) * + , – . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ .

  1. Double-click the “Require special characters” Group Policy.

    Require special characters
    Require special characters
  2. Select “Enabled” and then click Apply and Ok.

    Make special characters mandatory in PINs
    Make special characters mandatory in PINs
  3. Run the following cmdlet in an elevated Command Prompt to enforce the changes.

    GPUpdate /Force
    Update Group Policy enforcement
    Update Group Policy enforcement

Require Uppercase Letters

Similar to “Require lowercase characters”, you can also configure user PINs to have uppercase characters as well. This will also increase the complexity of the PINs created.

  1. Double-click the “Require uppercase letters” Group Policy.

    Require upper case letters
    Require uppercase letters
  2. Select “Enabled” and click Apply and Ok.

    Make a uppercase alphabet mandatory in PIN
    Make an uppercase alphabet mandatory in PIN
  3. Run the following cmdlet in an elevated Command Prompt to enforce the changes.

    GPUpdate /Force
    Update Group Policy enforcement
    Update Group Policy enforcement

These are all the PIN configurations that you can manage from the Group Policy settings.

However, if your system is registered with the Azure Active Directory of an enterprise, you can also use PIN recovery in case you forgot your PIN without losing any of your data.

Configuring PIN Recovery

Note that PIN recovery only works with devices registered with Azure Active Directory.

You can enable the “PIN Recovery” Group Policy early on to be able to recover your forgotten PIN. Here is how:

  1. Open the Group Policy editor by typing in “gpedit.msc” in the Run Command box.

    Open the Group Policy editor
    Open the Group Policy editor
  2. Navigate to the following from the left pane:

    Computer Configuration >> Adninistrative Templates >> Windows Components >> Windows Hello for Business
  3. Double-click the policy “Use PIN Recovery.”

    PIN Recovery
    PIN Recovery
  4. Select “Enabled,” then click Apply and Ok.

    Enable PIN recovery with Azure AD
    Enable PIN recovery with Azure AD
  5. Now run the following cmdlet in an elevated Command Prompt for the changes to take effect:

    GPUpdate /Force
    gpupdate force latest
    Enforce Group Policies

Closing Words

Using these options from the Group Policy Editor individually might not be as effective as using them in combination. For example, by making it mandatory for a PIN to have both upper and lowercase alphabets, as well as special characters and numerical characters, the PIN would become really complex to decode through social engineering.

However, a PIN should not be so complex that it cannot be differentiated from a regular password, as the main purpose of the Windows Hello PIN is to make it easier for people to log in to their accounts.

If you liked this post, Share it on:

Get Updates in Your Inbox

Sign up for the regular updates and be the first to know about the latest tech information

Subhan Zafar is an established IT professional with interests in Windows and Server infrastructure testing and research, and is currently working with Itechtics as a research consultant. He has studied Electrical Engineering and is also certified by Huawei (HCNA & HCNP Routing and Switching).

Leave the first comment