Microsoft has finally come to the conclusion that, as far as passwords are concerned, size really does matter after all. Alex Simons, vice-president of program management at Microsoft’s Identity Division, has announced a long-overdue and very big change in password policy for cloud user accounts in Azure AD. How big? How does 256 characters sound? This comes hot on the heels of Microsoft confirming it intends to replace passwords altogether for Windows 10 users and the scrapping of periodic password expiration within Windows 10 security baseline settings.
“Many of you have been reminding us that we still have a 16-character password limit for accounts created in Azure AD,” Simons says, “while our on-premises Windows AD allows longer passwords and passphrases, we previously didn’t have support for this for cloud user accounts in Azure AD.” That limit has now been changed, enabling passwords of up to 256 characters, including spaces, to be set. It hasn’t escaped the notice of some users that while being a long overdue move away from outdated password recommendations, the announcement comes at a point when many are already making the move to passwordless Azure AD sign-in using the Microsoft Authenticator app which employs key-based authentication to enable user credentials tied to a device.
However, it isn’t all good news if you ask me. According to the updated Azure password policy documentation, the minimum password length can still be as low as eight characters. I asked Ethical hacker John Opdenakker for his opinion regarding password length. “Length is important and the longer the better,” Opdenakker says, “but I’d say for public sites a minimum length of at least ten or 12 is recommended.” While admitting this is something of a trade-off between security and usability, Opdenakker points out that “yes, higher minimum length is more secure (it’s all about doing the math) but it gives a lot of users a hard time.” He also agrees with me that for internal company accounts like Azure AD you should require longer minimum lengths.
Ultimately though, security is all about layering defense and passwords alone should not be relied upon. So while Google has a minimum password length of eight characters, it also “checks where you logged-in from and several other layers of defense,” according to Opdenakker. Then there’s the complexity argument, which organizations such as the National Institute of Standards and Technology (NIST) and the National Cyber Security Centre (NCSC) no longer say is required for passwords. “The reasoning behind this is that requiring at least one number and one special character results in bad passwords,” Opdenakker explains, “users will opt for passwords like P@ssw0rd which fulfil the complexity requirements.”
Yet Azure AD passwords still require symbols and numbers despite this best practice advice being generally accepted throughout the security world. Eliza Kuzmenko from Microsoft says that “we have heard the feedback for removing the password character complexity requirement,” and while there are multiple moving parts to making this work, “it is on the radar.”