The default state of the PIN is for simple numerical characters between 4 and 127. However, this can be changed to keep the quick sign-in option (PIN) while increasing the security of your computer. Before we begin showing you how to manage the different properties of your Windows Hello PIN, it is important to understand why you should make it a bit more complex.
How a Complex PIN Enhances Security
When we talk of a “complex PIN,” we do not just mean a lengthy one. It means that it could have special characters, numbers, a minimum length, and both upper and lower-case alphabets.
How a Complex PIN Enhances Security How to Set Up Windows Hello PIN How to Manage Windows Hello PIN Complexity using Group Policy Require Digits Require Lowercase Letters Maximum PIN Length Minimum PIN length Expiration History Require Special Characters Require Uppercase Letters Configuring PIN Recovery Closing Words
Let’s assume that you have configured a 4-digit regular PIN on your Windows computer that only includes numbers. In the case of a Brute force attack where an algorithm tries all combinations for your PIN, it will normally take the software to crack your code rather quickly. In an example, it was found that it takes a robot only 20 hours to insert all 10,000 possible PIN combinations with 4 digits. However, if the number was raised from 4 digits to 6 digits, it will increase the time taken to crack the PIN significantly. Now imagine you added alphabets too, and special characters, and increased the minimum PIN length to 8. The number of possible combinations would be too much for an algorithm to execute, hence enhancing your system’s security in case of a Brute force attack. That said, you may be wondering why not configure a regular password and not a complex PIN since it becomes the same thing. Well, PINs are local to the device. Meaning, if you are using a Microsoft account to sign in, and your PIN is compromised, the attacker would only be able to access your PC. However, if your password is compromised, the attacker will gain access not only to your account but all other devices that you are signed in to. Therefore, it is important to use a PIN and configure it to be a little more complex than standard on a Windows PC.
How to Set Up Windows Hello PIN
Before we begin to manage the characteristics of the PIN, let us show you how you can create a sign-in PIN for your account on Windows 11/10. Often users prefer creating this right after a fresh Windows installation, as it is more convenient to sign in to their accounts. Plus, a PIN is much easier to remember. Follow the steps below to configure a PIN sign-on: You have now successfully configured the Windows PIN Sign-on. If at any point you want to change or remove the PIN, simply navigate back to the Sign-in Options settings page and click on the given options. Note that the PIN should be at least 4 digits long if you have left the settings to their default. You may also check the box next to “Include letters and symbols” to make the PIN alpha-numeric.
How to Manage Windows Hello PIN Complexity using Group Policy
When configuring the Windows Hello PIN, a user is presented with minimal options to change. For example, all the options they have are the lengths of the PIN, and whether to make it alpha-numeric. However, using the Group Policy Editor in Windows, you can change the requirements for which an essential PIN should be. If you are using the Windows Home edition, then you will need to explicitly download and install the Group Policy Editor. There are several options you can configure from the Group Policy Editor to manage your PIN requirements. We have listed and discussed the different Group Policies that you can control to make your system more secure through PIN complexity. First, open the Group Policy Editor by typing in “gpedit.msc” in the Run Command box, then navigate to the following from the left pane: You are then presented with a number of options to configure. Let’s cover each Group Policy one by one so you understand what they are used for and how to configure them.
Require Digits
Enabling this option makes it mandatory for the user to use at least one digit in the PIN. Previously, by checking the box next to Include letters and symbols, users could create a PIN entirely out of alphabets. A sysadmin can make sure users insert a number into their PIN to make it more secure by enabling this policy. Follow these steps to enable the requirement of digits inside a PIN: Configuring a new PIN will now make the use of digits mandatory. To disable this property, all you must do is Disable or Not Configure the policy.
Require Lowercase Letters
As the title depicts, this option lets the users ensure that there is at least one lowercase letter in the PIN that is created. You can enable this by following these steps:
Maximum PIN Length
By enabling this option, you can set the maximum length of the characters that can be used by a user in a PIN. However, the range must be between 4 and 127, as permitted by Windows. If you enter a number below 4, the following error is given: Similarly, entering a number above 127 will result in the following: Follow these steps to configure the maximum PIN length:
Minimum PIN length
This option sets the minimum character length to be allowed to users when setting their PIN. Setting this to a number greater than 4 would increase the security of the PIN by making it more complex. Here is how to configure it:
Expiration
By enabling the Expiration Group Policy, the administrator can set a limit on a PIN to last. Meaning, any configured PIN will expire after the said number of days, and the user will then be prompted to create a new PIN. The value can be set in the number of days from 0 to 730 (2 years). By default, the value is 0, which means that the PIN never expires. An expired PIN simply needs changing, ensuring that the PIN is changed frequently. This makes your computer more secure in case a previous PIN combination was hacked/known. If you wish to change this setting in the future and not make the PINs expire, simply select “Disabled” or “Not Configured” from the Group Policy.
History
The History Group Policy, when enabled, does not allow the user to reuse the pre-set last number of PINs. Meaning, a user cannot use their old PIN again as their new PIN. The number of unusable past PINs can be configured from 1 to 50. Here’s how:
Require Special Characters
By enabling this option, users are bound to use special characters in their PINs. It would only make the PIN more secure by increasing its complexity level. Here is a list of the special characters that are allowed: ! ” # $ % & ‘ ( ) * + , – . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ .
Require Uppercase Letters
Similar to “Require lowercase characters”, you can also configure user PINs to have uppercase characters as well. This will also increase the complexity of the PINs created. These are all the PIN configurations that you can manage from the Group Policy settings. However, if your system is registered with the Azure Active Directory of an enterprise, you can also use PIN recovery in case you forgot your PIN without losing any of your data.
Configuring PIN Recovery
Note that PIN recovery only works with devices registered with Azure Active Directory. You can enable the “PIN Recovery” Group Policy early on to be able to recover your forgotten PIN. Here is how:
Closing Words
Using these options from the Group Policy Editor individually might not be as effective as using them in combination. For example, by making it mandatory for a PIN to have both upper and lowercase alphabets, as well as special characters and numerical characters, the PIN would become really complex to decode through social engineering. However, a PIN should not be so complex that it cannot be differentiated from a regular password, as the main purpose of the Windows Hello PIN is to make it easier for people to log in to their accounts.
