Please increase the maximum password length from 16 to at least 64 characters
Increase maximum password length to 64 characters. 16 characters is way too few. NIST Special Publication 800-63B Digital Identity Guidelines (June 2017) recommends all systems that require passwords allow at least 64 character passwords. This request is urgent in that Office365 is the system which limits my organization's ability to implement password best practices - putting ALL apps at risk.

4 comments
-
Jeroen Brouwer commented
I've been able to create admin and user accounts with 32 char passwords, but the 16 char limitation still aplies to guest accounts. And I can't enforce MFA on guest accounts.
Why is there an upper limit if you're going hash passwords anyway?
-
Anonymous commented
I wish I could vote this up 1000x. With the recent MFA incidents that left me locked out of Office 365 Administration, I created a global admin account without MFA. I was shocked that I couldn't secure it with more than a 16 character password. For an account with the keys to the castle (and NO MFA) to have such a short password makes me nervous.
-
Fettouhi commented
I am totally behind this. I have had a case with MS about that I have been able to set 24 chracter passowrd since the day I started using O365 (exchange online). this week they launched a new update to the portal and when I tired to login to check mail I it wasy saying I was typing in the wrong password. I made it clear to the support team I am not typing it in I use lastpass to generate my password and have MFA encabled. to get access again I had to reset my password and limit it to max of 16 characters.
The support team tells me it should not have bene possible for me to have more then 16 and only AD integrated accounts can have higher number of characters. Thes days 16 character is nothing and can be hacked pretty fast. There should be no maxium . keep the minimum to 7 and let the admin of the tentant decide how long it is. Security should be better for all your systems and these settings have not been updated in ages.
-
Emad commented
Increase maximum password length to 64 characters.