back to article Microsoft goes to great lengths to polish Azure Active Directory's password policies

Doubtless with an eye on the current furore surrounding security and authentication, Microsoft has tweaked its Azure Active Directory policies to allow, er, longer passwords. The limitation has been a vexing one for administrators for some time, since User Principal Names (UPNs) could be up to 113 characters, but cloud users …

  1. Aladdin Sane Silver badge
    Flame

    Back in a bit

    I'm off to follow instructions and set fire to all my accounts.

    1. Ima Ballsy
      Facepalm

      Re: Back in a bit

      Mw tooo with R0cknRo11er

      1. theblackhand

        Re: Back in a bit

        You forgot something...actions nothing without a decent soundtrack....

        https://www.youtube.com/watch?v=dsM4FM3MiK0

    2. MiguelC Silver badge

      Re: Back in a bit

      Yeah, just changed mine to ThatIsMyPassw0rd

      I have no idea how they found about the old one, though...

      1. Anonymous Coward
        Anonymous Coward

        Re: Back in a bit

        This will stop one of my biggest user complaints. When they have to change their password every sixty days they would soon get to ThatIsMyPassw9rd y the usual method of just adding '1' to the number each expiry date. Once there 'the cloud' does not accept ThatIsMyPassw10rd as it was too long so we had to reduce the previous password check down to the last 9 to allow them to roll back over to '0' again. Now they can keep going right up to ThisIsMyPassw99999999999999999...{241}rd.

        We might even be able to get down to weekly password expiry now to make us super-safe.

  2. Velv Silver badge
    Coat

    But still limited to mandating only the four types of character :(

    Why can't we force users to include Cyrillic and other characters in their password, full BOFH mode :)

    1. Aladdin Sane Silver badge

      Kept on summoning Cthulhu whenever I entered my password.

    2. Captain Scarlet Silver badge
      Stop

      Please don't give "security" people any more ideas, I already have no idea wth my password is now having to rely on KeePass as I just can't remember more than 3 long passwords before my head explodes.

      1. Dave K Silver badge

        My irritation with password systems is that they all have different requirements. I've seen a number that won't allow special characters, meaning I have to change the random generator in my password manager to make the password weaker.

        Still, a 16 character maximum is daft. Glad it has finally been binned.

        1. fidodogbreath Silver badge

          I know of a large insurance and financial provider (which shall remain nameless) that has an 8 character limit on passwords. Even Password1 is too long for them.

      2. TechnicalBen Silver badge

        Shakespear optional...

        Though possibly too common. I have wondered about using a common (or rare but obtainable) book to just take a page out of for a long password.

        It's got to be more memorable, but also contain a lot of entropy(?) for a password string.

        1. Robert Carnegie Silver badge

          Re: Shakespear optional...

          I say no. Ordinary text has about one bit's worth of variation per letter. And most password inputs would require that you are word and punctuation perfect. I'd predict you fluffing it even in a Shakespeare sonnet. "My mistress' eyes are nothing, like the sun."

          My method is to take random generated letters and then invent a mnemonic for them. That makes them more memorable but not less random. Too bad if you get all X and Z, but you have that risk in Scrabble although there aren't so many of the tricky ones.

        2. Velv Silver badge
          Joke

          Re: Shakespear optional...

          This is just such a REALLY bad idea. It really wouldn’t take the infinite monkeys very long at all to brute force your password.

      3. This post has been deleted by its author

  3. Woodnag

    Interesting

    Yet Bitlocker is limited to 20 characters maximum, AES-128 is default, and settings have to be changed before encryption to go AES-256 and/or use non-alphabet.

    1. MJB7 Bronze badge

      Re: Interesting

      20 characters is certainly not enough for any password generated by Diceware (which is the only way i know of generating truly random passwords).

      AES-128 is fine though. It can't be brute-forced with computers the size of solar systems running for the current age of the universe. We only need AES-256 if anyone ever gets a quantum computer running with hundreds of qbits. (A quantum algorithm effectively halves the length of the key and something with a 64-bit key _can_ be brute forced by a sufficiently well resourced and motivated attacker.)

      1. TechnicalBen Silver badge

        Re: Interesting

        QM computation? I've often wondered if the current attempts will hit a probabilities problem.

        IIRC QM computation outputs probabilities of the solution, and also may contain "noise". While we can reduce some of it, AFAIK no one has proposed reducing all of it. So for computation of QM/natural systems, it's fine, it converges to the average you wish to find in finite time, and the exact answer in infinite time.

        I guess if you can get close enough to a AES-128 key then 1 or 2 bits incorrect and you can test a few 100 or 1000s iterations of the key, so long as it takes a short enough time to be economically viable and still useful.

        There are types of key/encryption that are hardened against QM types of computation. I guess we will migrate to those (plus QM communications/key sharing as no actual "information" is sent through QM) as soon as a working prototype is shown by Google etc.

      2. Scott 26

        Re: Interesting

        Minute Physics has a great video to why QM Computing is a danger to online encryption, even I was able to follow about a 1/3 of what he was saying: https://www.youtube.com/watch?v=lvTqbM5Dq4Q

  4. steviebuk Silver badge

    Finally

    We wanted to make ours long but this was the issue. The other issue is, I don't know if this fixes it, is a space at the beginning of a password. AD accepts it, Azure doesn't. So I was trying to work out for a while why a user couldn't login to Outlook which ignores the AD version and looks at what it is on Azure.

  5. jake Silver badge

    Am I the only one who parsed that as ...

    ... "with an eye on the current folklore surrounding security and authentication"?

  6. Ken Moorhouse Silver badge

    ...as Microsoft has upped the limit to 256 characters (including spaces)

    You don't need a password keeper any more, just use a presidential tweet and refer to it by number. For example:-

    http://www.trumptwitterarchive.com/

    1. Anonymous Coward
      Anonymous Coward

      Re: ...as Microsoft has upped the limit to 256 characters (including spaces)

      Soon to be proven RND generator?

  7. Anonymous Coward
    Anonymous Coward

    Security gets more characters, how'd they find that in the budget?

    Hilarious, that of all the required fields, "password" was limited to 16 characters.

    I've got users who can't enter their last names with just 16 characters.

    Real issue: Remembering and Typing Execution (of which 6 characters is probably too long)

  8. Garry Perez

    My Welsh mate

    Can now us Llanfair­pwllgwyngyll­gogery­chwyrn­drobwll­llan­tysilio­gogo­goch as his password

  9. dalethorn

    Enigma had a non-randomness flaw, and was broken after a fortnight or so. But these "new" schemes are doomed to password failure right away, by "Forcing users to choose non-random passwords" -- i.e., "You cannot choose your characters at random, you must select mixed case and numeric and etc. etc." Is anyone listening? No, of course not. Back to your phone and sexting or whatnot. You're all doomed by gross ignorance.

    1. theblackhand

      "But these "new" schemes are doomed to password failure right away, by "Forcing users to choose non-random passwords" -- i.e., "You cannot choose your characters at random, you must select mixed case and numeric and etc. etc."

      Which is why length of the password is substituted for the randomness of individual characters to increase entropy.

      Your point is valid for excessively short passwords combined with rules like "one upper case, one lower case, one number and one symbol" but once you go beyond 30 characters, the entropy should still be sufficient to resist most brute force efforts and any common patters would still make it unlikely to simplify the search space significantly.

      This assumes the password is in use for the coming 2-3 years and viable quantum computing that is orders of magnitude faster than current systems doesn't becomes available .

  10. Jou (Mxyzptlk)

    Lengh more important than complexity

    This xkcd should not be left out...

    https://xkcd.com/936/

    1. Vimto

      Re: Lengh more important than complexity

      I've had that one pinned on my wall for ages, and point people to it on a regular basis.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019