April 20, 2014

Strict to be kind – Why Office 365 is tough on passwords

Tough guidelines for passwords are worth the hassle.

One of the most common gripes I hear from our customers when it comes to Office 365 is the lack of password control. Customers on Office 365 seem to have the perception that it’s their data and accounts so they should be able to define the password policy.

That’s both true and false, so let’s address the issue step by step. First, let’s look at what the actual password policies are on Office 365. The default user password policy requirements are:

  • eight to 16 characters
  • A combination of uppercase and lowercase letters
  • At least one number or symbol
  • No spaces, tabs or line breaks
  • No username (ie. the part before the @ symbol)

When a password is reset Office 365 will provide a temporary password which then must be changed. Passwords are set to expire every 90 days. This seems fairly rigid, and some of the complaints I’ve heard from customers is that they don’t want to be told how to manage their passwords by Microsoft.

While this appears to be legitimate we need to step back and look at it from another point of view.

Office 365 is a shared platform that customers choose to move to in order to reap the benefits of advanced features, scalability, lower costs, etc. In doing that certain liberties must be given up. One of these is the freedom to dictate the security policies governing basic systems access.

Another way to think about it is like the laws that govern our country, state and even local suburb.

I liken public cloud password controls to smoking in a restaurant. While technically there’s nothing to stop you lighting a cigarette and puffing to your heart’s (dis)content, you are in a shared environment and laws have been put in place to the benefit of everyone. Otherwise the second-hand smoke you create can contribute to a restaurant patron’s lung cancer.

It is the same with weak passwords. If you never change your password or you keep it relatively simple such as “password” or “yourname”, it makes it quite easy for someone to break in to your account and potentially gain access to company data. So these password policies exist for the benefit of you, your business, and other users of Office 365.

However you are not entirely at the mercy of Microsoft’s password policy – there is some flexibility (like a smoking garden at a bar). Using PowerShell scripting, administrators can specify passwords when changing them and disable password expiration on individual or all accounts.

However, before you go disabling the password expiry in your Office 365 environment for the sheer convenience, think about the potential negative implications. A study a few years back in the UK found that 70 percent of people would hand over their password in exchange for a chocolate bar!

Password complexity and regular changes might be a slight hassle for end users four times a year, but when it comes to protecting the data integrity of the business, can you really afford to take that risk?

Loryan Strant is a Microsoft Office 365 MVP (Most Valuable Professional). Follow him on Twitter @TheCloudMouth.

Leave A Comment