More Than 8-Character Minimum Password Requirement
Allow for the current 8-character minimum requirement to be changed to something longer (i.e. – 10 or 12). Allowing for an 8-character minimum password length ensures mostly that.
Changing character density from 8 to 10 characters increases offline resilience from less than a day to almost two (2) decades, and 12 characters to over a thousand centuries [ref: Gibson research Center’s ‘Haystack’ page - https://www.grc.com/haystack.htm ].
Allowing administrators the option of lifting this minimum not only forces users to create potentially more secure passwords, but also allows them to use them longer without needing to change them… potentially until there is reason to believe they have been compromised (i.e. – recent Equifax breach).
Slightly longer passwords that don’t need changing as frequently, and increases the likelihood users won’t physically post them in insecure locations for easy access and compromise. This thought process is echoed by Bill Burr, the creator of the 2003 NIST publication that we are currently following. He is backing a new proposal, SP800-63-3, that endorses now using long passwords that are easy to remember and changing them only when deemed compromised. [ref: https://www.nist.gov/itl/tig/projects/special-publication-800-63 ]
This is not to discount Luke Schwingler’s request to increase the maximum character length past 16. These should be considered with equal value. [ ref: https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/16436995-password-length ] There were similar suggestions, and this one has gained traction. I feel Microsoft should consolidate the counts of the similar suggestions into his and give his request more merit.
Having the ability of setting large complicated requirements (as well as MFA) is a good thing when there are organisation policies in place for having complex unique passwords for apps/sites that are then stored in secure password managers.
Jan Wyroda commented
Not being able to enforce passwords with a length > 8 is simply put an unnecessary a security risk.
I think everything is shifting to longer, less complex passwords, coupled with MFA/2FA...or passwordless of course. We're having an issue meeting a mandated security standard because of this static minimum policy. I'm sure others are having the same issue. The minimum should be editable.
Need the option to set my minimum password to more the 8. we require at least 12. why are all the other port marked as complete when this has never been fixed. MS stop closing out request and creating new one that are not created.
Lets move forward on this! How about spending less time on fluf and more on usability and stability!
IT guy commented
simply allow admin to set the complexity level in the interface like you do with days to expire the password.
Microsoft, please implement this feature so that I can force my users to use stronger, longer passwords.
Gene Painter commented
The latest NIST standards highly recommend a longer password, and I have financial industry clients that would like for it to be at least 14.
Thanks for keeping on making this a great product.
Jim Lloyd commented
Bump... I am new to this forum and am not sure if this pushes the post up the list in any way. But, I am posting to see if it does.
If you are one of those people who does not like coming up with a new 8-character password every 30, 60 or 90 days (whatever your policy is), consider this proposal! Consider the possibility of not changing a 10-character password for 6 months to a year... or a 12 character password for a year or two.
Office 365 is currently fixed to a minimum password length of 8 characters, and stops at 16. Most password managers default to 20, and can go higher. Both of these should be an option for admins.
Vote for my proposal to allow for raising the minimum password length to 10 or 12 characters! Vote for Luke's (see above link) proposal to allow for passwords longer than 16!