introduction
As the admin of an organization, you’re responsible for setting password policy for users in your organization. Setting password policy can be complicated and confusing, and this article provides recommendations to make your organization more secure against password attacks.
Password recommendations
Maintain an 8-character minimum length requirement (longer isn’t necessarily better)
Don’t require character composition requirements. For example, *&(^%$
Don’t require mandatory periodic password resets for user accounts
Ban common passwords, to keep the most vulnerable passwords out of your system
Educate your users to not re-use their organization passwords for non-work related purposes
Enforce registration for multi-factor authentication
Enable risk-based multi-factor authentication challenges
Don’t use a password that is the same or similar to one you use on any other websites
Don’t use a single word, for example, password, or a commonly-used phrase like Iloveyou
Make passwords hard to guess, even by those who know a lot about you, such as the names and birthdays of your friends and family, your favorite bands, and phrases you like to use
Password Expiration Policy
by default MS365 password is NOT expired , and normal users behaviors tend to use same password >> which could compromise organization security
below how to configure password expiration policy for MS365 users
- open MS365 admin center
- selec settings
- Org Settings
- Privacy
- password expiration policy
Azur AD Password Policy
n Azure Active Directory (Azure AD), there’s a password policy that defines settings like
- the password complexity,
- password length
- password age
- There’s also a policy that defines acceptable characters and length for usernames.
When self-service password reset (SSPR) is used to change or reset a password in Azure AD, the password policy is checked :>> if the password doesn’t meet the policy requirements, the user is prompted to try again.
Azure administrators have some restrictions on using SSPR that are different to regular user accounts.
A password policy is applied to all user accounts that are created and managed directly in Azure AD. Some of these password policy settings can’t be modified
By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. The user is locked out for one minute. Further incorrect sign-in attempts lock out the user for increasing durations of time
Smart Lockout Track
Smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior will not cause the account to lock out. You can define the smart lockout threshold and duration.
