Microsoft goes to great lengths to polish Azure Active Directory's password policies

Get it? Lengths. Users now have 240 extra characters to play with

Doubtless with an eye on the current furore surrounding security and authentication, Microsoft has tweaked its Azure Active Directory policies to allow, er, longer passwords.

The limitation has been a vexing one for administrators for some time, since User Principal Names (UPNs) could be up to 113 characters, but cloud users were only allowed a maximum of 16 characters in their password.

On-premises AD admins have been able to smugly point to policies that allow for far more typo potential, but cloud users? Well, ThisIsMyPassw0rd was about your lot as far as length was concerned (note – that is a terrible, terrible password and if you're nodding in recognition, set fire to all your accounts).

Good news, however, as Microsoft has upped the limit to 256 characters (including spaces) from today meaning admins can now really vex users unable to use password managers.

The UK's National Cyber Security Centre (NCSC) has a bunch of tips around password policy including not slapping a cap on password length and, well, perhaps finding a way of avoiding peppering an organisation with the things through Single Sign-on systems or adding some extra security via Multi-Factor authentication (MFA.)


Microsoft: You looking at me funny? Oh, you just want to sign in


Microsoft Azure has a chequered history with MFA. Last November the service fell over, staggered to its feet then fell over again, like an overenthusiastic tourist at the Munich Oktoberfest.

Really Redmond would like passwords to be a thing of the past. Users still insist on choosing easy-to-guess examples and to that end the company has been pushing the likes of Windows Hello (the firm has recently had its appearance in the upcoming May 2019 Update of Windows 10 FIDO2 certified). Azure AD users have also been able to go password-less thanks to the Microsoft Authenticator app. Assuming Azure MFA is actually working, of course.

However, for those still dependent on a password, being able to enter some extra characters is a good thing. After all, when it comes to passwords, size matters. ®

Biting the hand that feeds IT © 1998–2020