How can we improve Azure Active Directory?

Allow Long Passwords

the current max password is 16 chars, please make it larger

https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/

Longer is (Usually) Stronger section

source of current max length: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-policy

510 votes
Sign in
(thinking…)
Password icon
Signed in as (Sign out)

We’ll send you updates on this idea

Mike DePouw shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

63 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Anonymous commented  ·   ·  Flag as inappropriate

    Repeating for emphasis:

    The "NIST Special Publication 800-63B" that came out in June 2017, provides new guidance for passwords. From section 5.1.1.2 Memorized Secret Verifiers: "Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length"

  • Anonymous commented  ·   ·  Flag as inappropriate

    the O365 change password does only allow for 16 characters. The after-Login-your-password-is-expired-screen accepts any length. my password is now 40 chars long... Is there a way to access this frame without an expired password?

  • SB commented  ·   ·  Flag as inappropriate

    We need this ASAP. What is the timeline for more than 16 chars? As we build our applications on Azure AD in the ***** cloud and doing business in Europe this is a requirement during evaluations.

  • Kevin Leicht commented  ·   ·  Flag as inappropriate

    I want to add my vote to this. We want to implement pass phrases so need more than 16 characters, and the passwords must allow spaces as well.

  • Jeremy Sweetman commented  ·   ·  Flag as inappropriate

    What bothers me more than anything is that it uses a different set of rules than the regular Azure Active Directory. At the very least they should be made to use the same rules.

  • Anonymous commented  ·   ·  Flag as inappropriate

    The custom password complexity 'feature' mentioned here in public preview applies to Azure B2C. When can we expect to see the ability to customise password requirements in Azure AD on the whole for all users?

  • Ted commented  ·   ·  Flag as inappropriate

    Windows Active Directory passwords have a 127 character limit, why is Azure Active Directory password character limit so low?

  • James commented  ·   ·  Flag as inappropriate

    Repeating for emphasis:

    The "NIST Special Publication 800-63B" that came out in June 2017, provides new guidance for passwords. From section 5.1.1.2 Memorized Secret Verifiers: "Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length"

  • Mitch Prince commented  ·   ·  Flag as inappropriate

    The "NIST Special Publication 800-63B" that came out in June 2017, provides new guidance for passwords. From section 5.1.1.2 Memorized Secret Verifiers: "Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length"

  • Jim Lloyd commented  ·   ·  Flag as inappropriate

    Why has this not yet been addressed, already?
    In this day of password managers, sticking with password length window of 8 to 16 is low security, which convenience often seems to trump. Just adding two characters makes passwords thousands of times stronger. 10 to 20 would be an amazing jump in security. Imagine going to 32 or more...

  • Robby De Laet commented  ·   ·  Flag as inappropriate

    There should be no limit on password length. I use a password manager (1Password), all my passwords are at least 64 chars. Concerning passwords, length matters.

  • Scarter commented  ·   ·  Flag as inappropriate

    My current Local AD password at my company is 30+ characters. I feel the limit on O365/Azure should be at least as long as one can do locally.

Feedback and Knowledge Base