How can we improve Azure Active Directory?

Allow Long Passwords

the current max password is 16 chars, please make it larger

https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/

Longer is (Usually) Stronger section

source of current max length: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-policy

510 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Mike DePouw shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

65 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
An error occurred while saving the comment
  • Mark R commented  ·   ·  Flag as inappropriate

    This remains an issue?! How can any security professional at Microsoft look at themselves in the mirror in the morning with such a simple and obvious security that, apparently, is not a priority?

    My organization has to curtail our security enhancement plans because Microsoft cant keep up with what's best practice?

    Microsoft goes on and on about the security of the "Microsoft Cloud." Really?

    Does anyone with any authority at Microsoft ever even read this?

  • Shane commented  ·   ·  Flag as inappropriate

    We've been able to use 127-character passwords since Windows 2000, whatever the fundamental limitation is behind this really needs sorting out.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Repeating for emphasis:

    The "NIST Special Publication 800-63B" that came out in June 2017, provides new guidance for passwords. From section 5.1.1.2 Memorized Secret Verifiers: "Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length"

  • Anonymous commented  ·   ·  Flag as inappropriate

    the O365 change password does only allow for 16 characters. The after-Login-your-password-is-expired-screen accepts any length. my password is now 40 chars long... Is there a way to access this frame without an expired password?

  • SB commented  ·   ·  Flag as inappropriate

    We need this ASAP. What is the timeline for more than 16 chars? As we build our applications on Azure AD in the ***** cloud and doing business in Europe this is a requirement during evaluations.

  • Kevin Leicht commented  ·   ·  Flag as inappropriate

    I want to add my vote to this. We want to implement pass phrases so need more than 16 characters, and the passwords must allow spaces as well.

  • Jeremy Sweetman commented  ·   ·  Flag as inappropriate

    What bothers me more than anything is that it uses a different set of rules than the regular Azure Active Directory. At the very least they should be made to use the same rules.

  • Anonymous commented  ·   ·  Flag as inappropriate

    The custom password complexity 'feature' mentioned here in public preview applies to Azure B2C. When can we expect to see the ability to customise password requirements in Azure AD on the whole for all users?

  • Jamie Tynan commented  ·   ·  Flag as inappropriate

    This limit of 16 characters would now mean that any company using MS Azure AD could not pass the Cyber Essentials security standard. This states that :

    For password-based authentication in Internet-facing services the Applicant must ... not set a maximum password length

    see https://www.cyberessentials.ncsc.gov.uk/requirements-for-it-infrastructure.html

  • Ted commented  ·   ·  Flag as inappropriate

    Windows Active Directory passwords have a 127 character limit, why is Azure Active Directory password character limit so low?

  • James commented  ·   ·  Flag as inappropriate

    Repeating for emphasis:

    The "NIST Special Publication 800-63B" that came out in June 2017, provides new guidance for passwords. From section 5.1.1.2 Memorized Secret Verifiers: "Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length"

  • Mitch Prince commented  ·   ·  Flag as inappropriate

    The "NIST Special Publication 800-63B" that came out in June 2017, provides new guidance for passwords. From section 5.1.1.2 Memorized Secret Verifiers: "Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length"

  • Jim Lloyd commented  ·   ·  Flag as inappropriate

    Why has this not yet been addressed, already?
    In this day of password managers, sticking with password length window of 8 to 16 is low security, which convenience often seems to trump. Just adding two characters makes passwords thousands of times stronger. 10 to 20 would be an amazing jump in security. Imagine going to 32 or more...

  • Robby De Laet commented  ·   ·  Flag as inappropriate

    There should be no limit on password length. I use a password manager (1Password), all my passwords are at least 64 chars. Concerning passwords, length matters.

Feedback and Knowledge Base