More Than 8-Character Minimum Password Requirement
Allow for the current 8-character minimum requirement to be changed to something longer (i.e. – 10 or 12). Allowing for an 8-character minimum password length ensures mostly that.
Changing character density from 8 to 10 characters increases offline resilience from less than a day to almost two (2) decades, and 12 characters to over a thousand centuries [ref: Gibson research Center’s ‘Haystack’ page - https://www.grc.com/haystack.htm ].
Allowing administrators the option of lifting this minimum not only forces users to create potentially more secure passwords, but also allows them to use them longer without needing to change them… potentially until there is reason to believe they have been compromised (i.e. – recent Equifax breach).
Slightly longer passwords that don’t need changing as frequently, and increases the likelihood users won’t physically post them in insecure locations for easy access and compromise. This thought process is echoed by Bill Burr, the creator of the 2003 NIST publication that we are currently following. He is backing a new proposal, SP800-63-3, that endorses now using long passwords that are easy to remember and changing them only when deemed compromised. [ref: https://www.nist.gov/itl/tig/projects/special-publication-800-63 ]
This is not to discount Luke Schwingler’s request to increase the maximum character length past 16. These should be considered with equal value. [ ref: https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/16436995-password-length ] There were similar suggestions, and this one has gained traction. I feel Microsoft should consolidate the counts of the similar suggestions into his and give his request more merit.
Gene Painter commented
The latest NIST standards highly recommend a longer password, and I have financial industry clients that would like for it to be at least 14.
Thanks for keeping on making this a great product.
Jim Lloyd commented
Bump... I am new to this forum and am not sure if this pushes the post up the list in any way. But, I am posting to see if it does.
If you are one of those people who does not like coming up with a new 8-character password every 30, 60 or 90 days (whatever your policy is), consider this proposal! Consider the possibility of not changing a 10-character password for 6 months to a year... or a 12 character password for a year or two.
Office 365 is currently fixed to a minimum password length of 8 characters, and stops at 16. Most password managers default to 20, and can go higher. Both of these should be an option for admins.
Vote for my proposal to allow for raising the minimum password length to 10 or 12 characters! Vote for Luke's (see above link) proposal to allow for passwords longer than 16!