Rethink your Microsoft 365 and AD password policy

by | Sep 8, 2021 | Business, Microsoft

Malicious hackers have an enormous trove of common passwords they can use to try and access your network. These lists demonstrate how weak common password choices tend to be. Some common examples of passwords highlight how important a password policy can be:


A small business employee has an average of 85 passwords that they will have to use at some point. Passwords must be managed in some way. 



We all know that the above examples are extremely weak passwords for a variety of reasons. Yet people continue to use and reuse these poor choices. Unfortunately, for some, it all comes out publicly when a popular website gets hacked. For example, when Ashley Madison had their big hack years ago, one of the most commonly used passwords was superman123. 

The historical standard (no longer recommended) has been to use a password that would be hard to guess and includes: 

  • Eight characters 
  • Upper and lowercase letters 
  • A mix of letters, numbers, and symbols 
  • Is changed every 90 days 

These password standards — still widespread in the small business world are somewhat flawed and should no longer be followed for two key reasons. 

Complexity requirements may have the opposite effect 

Firstly, research shows that these conventional complexity requirements make passwords easier to guess. While it does help prevent the use of some extremely weak passwords, it encourages common patterns that attackers are aware of and will take advantage of. When someone is attempting to gain unauthorized access to your technology they can easily account for patterns like capitalizing the first letter of the password or adding a number on the end which is what most people will do. It truly does not add much protection.

Secondly, enforcing regular password changes tends to further weaken password choices. Users will tend to reuse their old password with small changes like incrementing the number on the end, or they will just write it down and stick it on their monitor or place it under their keyboard. Password re-use is especially risky because if one application or website is compromised, then an attacker will have access to every website and service where that password is used potentially including your network.

So, what should a business leader do? 

So, what are you to do instead? We recommend that you modernize your Microsoft 365 and Active Directory environments with the following password guidelines.  

First, let go of the conventional password policy and instead focus on password length. A 12-character password is only slightly harder to create and remember than the old eight-character password, but mathematically is much more difficult to guess. With that, stop enforcing complexity requirements. Complex passwords should be encouraged, but not enforced by policy.

Additionally, stop password expiration policies and instead implement a policy where passwords are changed, when necessary, like in the event of a data breach, which you should be monitoring for. If a breach occurs at your organization, then have everyone change their password at the same time. 

Also, adopt a system for detecting and rejecting bad passwords. Microsoft 365 contains a feature in their Azure AD Premium P1 offering called Azure AD Password Protection where a password like “Password1234” may meet your 12-character minimum but will be rejected by the system and force the user to choose a better password. It uses a combination of factors like known password lists and things like the user’s name, your business name, or variations of those which would be easy to guess. This is exponentially more secure than conventional requirements and can also be configured to protect your local domain. If your business is not using 365 yet, you can protect Active Directory locally through tools such as Open Password Filter, although they are not as robust and require manual administration when compared to Azure AD Password Protection.

Multifactor Authentication 

Lastly, and most importantly, a good password policy is one that is backed up by multifactor authentication (MFA). The best password in the world is no match for MFA as it significantly increases the challenge for an attacker to gain access to your environment. Consider the analogy of a locked versus unlocked car in an underground parking lot. Most break-ins take advantage of complacency or forgetfulness of the car owner- similarly, your network is no longer considered an “easy target” once MFA is implemented, and most attackers will simply move on. Using MFA can even prevent your environment from being compromised in the event of a successful phishing attempt. The compromised password is no longer enough, by itself, to gain access to your environment. There are many, many ways to implement multifactor, whether through SMS, mobile apps, a physical time code token or something like a USB token, like YubiKey. There is always a solution that will meet your business needs. 

If you would like more information about password management and any other IT needs, contact us.