Comments on: Microsoft Recommending Non-Expiring Passwords to Office 365 Customers

By: Andy Cooke

Andy Cooke — Wed, 01 Jul 2020 08:56:16 +0000

I realise it’s an impost impossible task to keep everything updated. But I wondered if you wanted to maybe update or include a note to show that the password length was increased to 256. I was actually surprised it was limited to be honest and something I had not considered.

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/removal-of-the-16-character-limit-for-passwords-in-azure-ad/ba-p/565275

By: Chato

Chato — Wed, 08 May 2019 07:25:39 +0000

In reply to Nailtrail.

As of April 2019, maximum password length now seems to support up to 256 characters.

https://techcommunity.microsoft.com/t5/Microsoft-365-Blog/What-s-new-in-Microsoft-365-user-management-for-April-2019/ba-p/542153

By: Jason Brantley

Jason Brantley — Mon, 11 Feb 2019 23:26:38 +0000

How about instead of recommending non-expiring passwords, maybe Office 365 should provide a way to send password expiration reminders via email or text to users, which would eliminate 95% of the issues that that I run into with expiring passwords. Right now they don’t work well, because their is not reminders and users constantly get locked out, not knowing their passwords have expired. Just stupid.

By: Multi-factor Authentication by Default for Administrators in Azure AD and Office 365 – SimpleITPro

Mon, 24 Sep 2018 19:03:29 +0000

[…] new Office 365 tenants, being flagged by Office 365 Secure Score, and being one of the general account security recommendations from […]

By: Craig Stodolenak

Craig Stodolenak — Fri, 16 Mar 2018 02:08:33 +0000

Interesting that the topic of password managers was never mentioned.

Or is this a “legacy” concept too? A password that doesn’t change is compromised security. Organizations commonly use online resources that are accessed by multiple members of their staff, where MFA wouldn’t really work, and no good way to track who has access to what.

A business-run password manager system for its staff allows for truly strong passwords, rotation, and lack of frustration. It teaches and reinforces use of password managers in their employees’ personal lives.

The NIST recommendations that made so much news were based on people NOT using password managers. With so many online services that we use nowadays, it’d be impossible to use unique strong passwords on every service you use without one, so why are we not driving users towards them?

By: Nailtrail

Nailtrail — Mon, 05 Mar 2018 11:16:36 +0000

Ah, finally a first step in the right direction. Now they have to get rid of the 16 character password limit and the requirement for mixed case passwords with numbers and we finally are up to modern standards.

By: Chris Foster

Chris Foster — Thu, 09 Nov 2017 22:58:47 +0000

I was surprised to see some of the new NIST recommendations around passwords. A summary can be found here: https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/ the full NIST publication can be found here: https://pages.nist.gov/800-63-3/sp800-63-3.html – Along with Microsoft, it is a bit of a deviation from the “old school of thought” around passwords and password policy management.