Those of you who create a PIN to back up your password in Windows probably rely on a standard 4-digit number, but did you know that you can create a longer and more complex PIN? You can devise a PIN with 6, 8, 10, 12, or more digits. You can also create a PIN with letters and special characters as well as numbers. The trick is to concoct a PIN that’s as strong and secure as possible but easy enough to remember and enter each time. And if you’re an IT administrator, you can control the PINs your users create via Group Policy.
SEE: Eight things you should know before launching a cybersecurity career (free PDF) (TechRepublic)
Why create a Windows PIN in the first place when you already have a password? There are several reasons. A PIN is more secure than a password. Passwords are transmitted to and stored on a server (albeit using encryption), so they’re exposed beyond your device. Someone who obtains your Microsoft Account password can sign in anywhere with it. A PIN is saved on and is local to your computer or device so it can’t be used elsewhere. Your Windows Hello PIN is also stored within the Trusted Platform Module (TPM) on your device where it’s protected against brute-force attacks and other hacking methods. A PIN is also required as a backup if you try to enable any of the other Windows Hello authentication methods, such as fingerprint or facial recognition.
Even though your PIN is inherently more secure than a password, you still want to create one of some complexity because a PIN with 6 or more digits or characters is tougher to crack than one with just 4 digits.
You can establish your PIN when you first set up and customize Windows, but let’s assume you already have a PIN and want to change it to something more complex. To do this in Windows 10, go to Settings and then Accounts. Select the entry for Sign-in Options. In the PIN section for Windows Hello, click the Change button (Figure A).
At the Change Your PIN window, check the box to Include Letters And Numbers and then click the link for PIN Requirements (Figure B).
Unless your organization has changed the settings, the default requirements for a Windows Hello PIN are as follows (Figure C):
- The PIN must be at least four characters.
- The PIN can’t be longer than 127 characters.
- The PIN may include uppercase and lowercase letters.
- The PIN may include digits.
- The PIN may include special characters.
Now, devise a new PIN for your device using the default requirements. When creating a new PIN, think about how and where you use your computer or device. If it’s a desktop computer that you use at home or in your own isolated office, you can probably get by with a simpler PIN. If it’s a laptop that you use on the road or a business computer accessible by other people, then you’ll likely want a longer and stronger PIN.
In the Change Your PIN window, type your current PIN. Type and retype your new PIN. Click OK when you’re done (Figure D). You should sign out of Windows and then sign back in with your new PIN to test it.
IT administrators who use Group Policy can control the complexity of Windows PINs. To do this, review and enable certain settings. Open your Group Policy Editor or Group Policy Management Console. Navigate to the following key: Computer Configuration | Administrative Templates | Windows Components | Windows Hello For Business. You can configure your Windows Hello For Business policy settings (Figure E).
Go to Computer Configuration | Administrative Templates | System| Logon. You can enable the policy for Turn On Convenience PIN Sign-in (Figure F).
Go to Computer Configuration | Administrative Templates | System | PIN Complexity where you can establish the requirements for the PINs your users can create (Figure G).
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays