'Uncrackable' passwords introduced to Microsoft Azure

Responding to community feedback, Microsoft has raised the character limit of its passwords for Azure AD

Typing a secure password

Microsoft Azure has increased the character limit for passwords in Azure Active Directory from 16 to a massive 256 characters, making brute force hack attempts much more difficult.

It seems to be a hot topic for Azure customers who have been reminding Microsoft of its seemingly unsatisfactorily small limit for passwords.

"Many of you have been reminding us that we still have a 16-character password limit for accounts created in Azure AD," said Microsoft's Alex Simons. "While our on-premises Windows AD allows longer passwords and passphrases, we previously didn't have support for this for cloud user accounts in Azure AD."

"Today, I am pleased to announce that we have changed this limit, allowing you to set a password with up to 256 characters, including spaces," he added.

Passwords must still meet three out of the four essential criteria as set out in Microsoft's policy documentation.

  • Lowercase characters
  • Uppercase characters
  • Numbers (0-9)
  • Symbols (@ # $ % ^ & * - _ ! + = [ ] { } | \ : ' , . ? / ` ~ " ( ) ;)

While account and password security are of paramount importance to IT users, Microsoft still won't force you to create an iron-clad password, keeping the minimum allowance at just a mere eight characters.

The difference between an eight-character password and a 256 character one is huge, according to howsecureismypassword.net, a website used to check how long it would take to brute force a password.

We took three different passwords of varying lengths to see how long it would take to crack each of them. First up is 'Jazzily1', the minimum character requirement that adheres to three of Azure's four essential criteria. This would take just one month to crack, according to the website.

A middle ground 137-character password would take 29,511,750,324 octogintillion years (quite a lot) to crack, and the 253-character password we used at the upper limit of Azure's allowance would take 'forever'.

Another way to look at hyper-secure passwords is Professor Bill Buchanan's take on things regarding 128-bit AES keys. He said that in order to break one of these, it would take the energy required to boil every single one of Earth's oceans 16,384 times just to crack a single key.

In related news, Microsoft recently gained FIDO certification for its Windows 10 authenticator Windows Hello in the upcoming May 2019 upgrade, seemingly in an embryonic first step towards a passwordless Windows.

Windows Hello will use facial recognition, fingerprint scanning and a secure PIN number for more than 800 million Windows 10 devices starting next month - a service with cross-compatibility with other Microsoft services such as Office 365, OneDrive and more.

"Our work with FIDO Alliance, W3C and contributions to FIDO2 standards have been a critical piece of Microsoft's commitment to a world without passwords," said principal group program manager with Microsoft Yogesh Mehta.

"No one likes passwords (except hackers)," he added. "People don't like passwords because we have to remember them. As a result, we often create passwords that are easy to guess - which makes them the first target for hackers trying to access your computer or network at work."

In the same May update, Microsoft will also stop enforcing its password expiration policies which prompt users to change their passwords every few months.

The company's logic behind this came from the idea that if users are frequently changing passwords, they will be more inclined to just make small changes or even start writing them down; a big security no-no.

Featured Resources

Humility in AI: Building trustworthy and ethical AI systems

How humble AI can help safeguard your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Leadership compass: Privileged Access Management

Securing privileged accounts in a high-risk environment

Download now

Why you need to include the cloud in your disaster recovery plan

Preserving data for business success

Download now

Recommended

IBM: Hackers are targeting COVID-19 vaccine 'cold chain'
Security

IBM: Hackers are targeting COVID-19 vaccine 'cold chain'

3 Dec 2020
GitHub: Open source vulnerabilities can go undetected for four years
Security

GitHub: Open source vulnerabilities can go undetected for four years

3 Dec 2020
What is shoulder surfing?
Security

What is shoulder surfing?

2 Dec 2020
Security benefits of open virtualised RAN
Whitepaper

Security benefits of open virtualised RAN

2 Dec 2020

Most Popular

Samsung Galaxy Note might be discontinued in 2021
Mobile Phones

Samsung Galaxy Note might be discontinued in 2021

1 Dec 2020
Microsoft Teams no longer works on Internet Explorer
Microsoft Office

Microsoft Teams no longer works on Internet Explorer

30 Nov 2020
Sopra Steria cyber attack costs to hit €50 million
Security

Sopra Steria cyber attack costs to hit €50 million

26 Nov 2020