Welcome to my website

My name is Richard Watson and I'm a professional PHP developer
from Lurgan in Northern Ireland

Password complexity the Office 365 way

Posted by richard
Development | 06-09-2016

microsoft office365

Microsoft show us how not to do password complexity

While doing some administration work (at work) on Office 365 I came across this lovely little gem of a complexity rule for Office 365 passwords -

Passwords can't contain your user ID and need to be at least 8 characters long with at least 3 of the following: upper-case letters, lower-case letters, numbers and symbols.

Now here's the thing. My standard passwords have (at least) 1 of everything listed. Upper-case? Several. Lower-case? Several. Numbers? Several. Symbols? Several. It doesn't, however, have 3 of each (obviously I'm not going to give the whole game away here! I use a password rotation of related phrases that differ for different accounts to aid in memory) Worth noting it also spits out anything I tried longer than 16 characters.

To analyze - There's nothing wrong with Passwords can't contain your user ID at least, but the rest? 3 upper case letters, 3 lower case letters, numbers and symbols. I thought I'd be a little more scientific and a little less judgemental and turned to the interwebs to tell me whether my normal password (part of the "Correct Horse Battery Stable" line of thought, there's always a relevant XKCD comic) or whether my Microsoft enforced password was stronger.

According to howsecureismypassword my own password would take ~18 quadrillion years to crack. My Microsoft enforced password? A reasonably respectable 7 million years. Still, not even close.

passwordmeter.com gave my own password a respectable 86% (although it doesn't accept spaces as symbols) while giving my new Office 365 password a 91%. Round 2, Microsoft.

Final round, Kasperskys password checker. My password - 10000+ centuries (Seems that's their maximum). Microsoft? A not as respectable 12 years. Worth noting that according to Kaspersky even tianhe-2 supercomputer would take close to 2 years to crack my password but they're past my Office 365 password in 2 minutes flat. Hopefully the Chinese government don't want access to my Office 365 in that case.

So, 2-1 in my favour. However, there is one important thing to remember - I can actually remember my password despite its complexity. Enforcing use of random symbols, number sequences or even as seen by other guilty parties, specific symbols and non-consecutive rules against things all it's doing is causing the average user to write down the password and stick it to their monitor on a post-it note. Who wins when this is the case? Not the user.

You are not signed in

Register or sign-in to post comments

User comments

By richard


Since I wrote this article I had to reset my password three times in 365 meetings (which requires extra layers of authentication to do - mail, and text) as I couldn't remember my passwords.

Since then they seem to have changed some complexity rules around resets and I can now use other passwords that any sane developer would enforce and the world is a happier place again.

Posted on

30-03-2017 12:06pm

Popular tags