Bewerken

Delen via


Windows LAPS passwords and passphrases

Learn about how passwords and passphrases are created for Windows Local Administrator Password Solution (Windows LAPS).

Overview

The primary purpose of Windows LAPS is regularly rotate the password of a local Windows account. It's important to understand how Windows LAPS generates random passwords (or random passphrases).

Password character sets

Windows LAPS supports five different complexity settings that can be used to generate random passwords. The PasswordComplexity policy setting is used to choose which character sets are used when creating a password.

PasswordComplexity setting Description Character sets
1 Large letters "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
2 Large letters + small letters "ABCDEFGHIJKLMNOPQRSTUVWXYZ"

"abcdefghijklmnopqrstuvwxyz"
3 Large letters + small letters + numbers "ABCDEFGHIJKLMNOPQRSTUVWXYZ"

"abcdefghijklmnopqrstuvwxyz"

"0123456789"
4 Large letters + small letters + numbers + specials "ABCDEFGHIJKLMNOPQRSTUVWXYZ"

"abcdefghijklmnopqrstuvwxyz"

"0123456789"

",.-+;!#&@{}[]$/()%"
5 Large letters + small letters + numbers (improved readability) "ABCDEFGHJKLMNPRSTUVWXYZ"

"abcdefghijkmnpqrstuvwxyz"

"23456789"

"!#%+@:=?*"

When a complexity setting with multiple character sets is chosen, Windows LAPS ensures that the resultant password contains at least one character randomly chosen from each character set.

The length of passwords is controlled using the PasswordLength policy setting. Passwords created by Windows LAPS default to 14 characters in length, and can be configured to be anywhere from 8-64 characters in length.

Password complexity setting five is equivalent to password complexity setting four, with the following modifications made to improve readability and avoid confusion. The differences between setting four and setting five are as follows:

  • Removes the letters 'I', 'O', 'Q', 'l', and 'o'
  • Removes the numbers '0' and '1'
  • Removes the symbols ',', '.', '&', '{', '}', '[', ']', '(', ')', and ';'
  • Adds the symbols ':', '=', '?', and '*'

Important

The PasswordComplexity setting of '5' is only supported in Windows 11 24H2, Windows Server 2025 and later releases. It is not required to deploy any Windows Server 2025 domain controllers in order to use this new setting.

Passphrase word lists

Windows LAPS supports three different complexity settings that can be used to generate random passphrases. The PasswordComplexity policy setting is used to choose which word lists are used when creating a passphrase:

PasswordComplexity setting Description Number of words in list
6 Long words 7776
7 Short words 1276
8 Short words with unique prefixes 1276

The length of passphrases is controlled using the PassphraseLength policy setting. Passphrases created by Windows LAPS default to six words in length, and can be configured to be anywhere from three to 10 terms in length. The first character of each word is always capitalized for improved readability. No punctuation or other dividing characters are used between words.

Example of a passphrase created with six words taken from the "Long words" list:

SkiingProduceIdentifyStarlitOctaneDistress

Passphrase word lists were taken from "Deep Dive: EFF's New Wordlists for Random Passphrases" by Electronic Frontier Foundation, and are used under a CC-BY-3.0 Attribution license. The specific contents of all Windows LAPS passphrase word lists can be downloaded from Windows LAPS Passphrase Word Lists. Microsoft made slight modifications to the original word lists; all changes are detailed in the downloadable lists.

Important

Windows LAPS passphrase support is only supported in Windows 11 24H2, Windows Server 2025 and later releases. It is not required to deploy Windows Server 2025 domain controllers in order to use this new setting.

Entropy considerations

Windows LAPS creates truly random passwords and passphrases (no human bias is possible). It's therefore simple to calculate the resultant bits of entropy for a password\passphrase of a given length. The following table lists the resulting bits of entropy across a sample set of password\passphrase lengths.

The supported password complexity settings are listed across the top of the table, and password\passphrase lengths are listed down the left hand side. The entropy values for the default policy length settings are bolded:

PasswordComplexity setting ->

Password or passphrase length

V
1 2 3 4 5 6 7 8
3 39 31 31
4 52 41 41
5 65 52 52
6 78 62 62
7 90 72 72
8 38 46 48 51 48 103 83 83
9 42 51 54 57 54 116 93 93
10 47 57 60 63 60 129 103 103
11 52 63 65 70 66
12 56 68 71 76 72
13 61 74 77 82 78
14 66 80 83 89 84
20 94 114 119 126 120
40 188 228 238 253 240
60 282 342 357 379 360

At the higher end of the allowable length ranges, the entropy levels could be considered excessive for most normal IT environments. Consider that there's usually a security versus usability tradeoff involved. For example, it's difficult for human beings to read and type long and complex passwords. Switching to passphrases is a useful way to improve these issues while still retaining a reasonable amount of entropy. If maximizing security is a paramount concern you might instead consider alternative protections, for example maintaining the managed account in a disabled state by default.

See also

Next steps

Now that you understand how passwords and passphrases are created, take a look at these other sections.