'Uncrackable' passwords introduced to Microsoft Azure

Responding to community feedback, Microsoft has raised the character limit of its passwords for Azure AD

Typing a secure password

Microsoft Azure has increased the character limit for passwords in Azure Active Directory from 16 to a massive 256 characters, making brute force hack attempts much more difficult.

It seems to be a hot topic for Azure customers who have been reminding Microsoft of its seemingly unsatisfactorily small limit for passwords.

"Many of you have been reminding us that we still have a 16-character password limit for accounts created in Azure AD," said Microsoft's Alex Simons. "While our on-premises Windows AD allows longer passwords and passphrases, we previously didn't have support for this for cloud user accounts in Azure AD."

"Today, I am pleased to announce that we have changed this limit, allowing you to set a password with up to 256 characters, including spaces," he added.

Passwords must still meet three out of the four essential criteria as set out in Microsoft's policy documentation.

  • Lowercase characters
  • Uppercase characters
  • Numbers (0-9)
  • Symbols (@ # $ % ^ & * - _ ! + = [ ] { } | \ : ' , . ? / ` ~ " ( ) ;)

While account and password security are of paramount importance to IT users, Microsoft still won't force you to create an iron-clad password, keeping the minimum allowance at just a mere eight characters.

The difference between an eight-character password and a 256 character one is huge, according to howsecureismypassword.net, a website used to check how long it would take to brute force a password.

We took three different passwords of varying lengths to see how long it would take to crack each of them. First up is 'Jazzily1', the minimum character requirement that adheres to three of Azure's four essential criteria. This would take just one month to crack, according to the website.

A middle ground 137-character password would take 29,511,750,324 octogintillion years (quite a lot) to crack, and the 253-character password we used at the upper limit of Azure's allowance would take 'forever'.

Another way to look at hyper-secure passwords is Professor Bill Buchanan's take on things regarding 128-bit AES keys. He said that in order to break one of these, it would take the energy required to boil every single one of Earth's oceans 16,384 times just to crack a single key.

In related news, Microsoft recently gained FIDO certification for its Windows 10 authenticator Windows Hello in the upcoming May 2019 upgrade, seemingly in an embryonic first step towards a passwordless Windows.

Windows Hello will use facial recognition, fingerprint scanning and a secure PIN number for more than 800 million Windows 10 devices starting next month - a service with cross-compatibility with other Microsoft services such as Office 365, OneDrive and more.

"Our work with FIDO Alliance, W3C and contributions to FIDO2 standards have been a critical piece of Microsoft's commitment to a world without passwords," said principal group program manager with Microsoft Yogesh Mehta.

"No one likes passwords (except hackers)," he added. "People don't like passwords because we have to remember them. As a result, we often create passwords that are easy to guess - which makes them the first target for hackers trying to access your computer or network at work."

In the same May update, Microsoft will also stop enforcing its password expiration policies which prompt users to change their passwords every few months.

The company's logic behind this came from the idea that if users are frequently changing passwords, they will be more inclined to just make small changes or even start writing them down; a big security no-no.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

Malicious ‘Dependency Confusion’ packages are stealing password files
hacking

Malicious ‘Dependency Confusion’ packages are stealing password files

2 Mar 2021
What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

2 Mar 2021
What is cloud-to-cloud backup?
cloud backup

What is cloud-to-cloud backup?

1 Mar 2021
Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021

Most Popular

How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021