Comment by Intermernet
15 days ago
This is a bit tricky as it couples the user's password with the disk encryption key. If a user changes the password they would then need to change the encryption key, or remember the previous (possibly compromised) password. A better option is to force the user to record a complex hash, but that's never going to be user friendly when it comes to the average computer user.
Basically, we need better education about the issue, but as this is the case with almost every contentious issue in the world right now, I can't imagine this particular issue will bubble to the top of the awareness heap.
The system handles these changes for the user automatically. The disk key is encrypted by user password, when user changes the password, the system completes disk key rollover automatically. Which means it will decrypt key with old password and then encrypt key with new password.
Windows also allows you to reset your user password via Microsoft, which complicates things a little
In practice, there's some bugs around this. There's no way to force Windows to update your password when you change it via Microsoft; I went through the password change due to Microsoft locking my Microsoft account, and Windows didn't update the password locally until I played around with group policy settings (that I'd never touched before) for password expiry and signed in via PIN and rebooted a dozen times (over the course of about 2 weeks).
The encryption key for the drive never changes. The key is just re-encrypted when you change your password.