Office 365: Password Policy

gjacobse

One of the things that is relatively important to me is policies,.. and a password policy seems to be a good one to start with during the implementation of Office 365.

Currently my policy is users must change their passwords 90 days - quarterly - just four times a year. It is my belief that this is the longest it should go.

Today I received an email from a user asking it the policy could be change so that they are not changed so often.

My supervisor and I have yet to discuss this,.. he not only my supervisor but also a Human Resource member. He and I are in control of many of the security policies (security wise for physical building access and digital).

I don't see this being changed. But am curious as to NTGs and other users of Office 3565 Password policy.

Is ninety days to long?

Dashrender

I used to be the same... But over the past two years I've moved just requiring long passwords, like 10 or 12 or longer. Changing once a year or if they think it is compromised.

JaredBusch

I prefer a 12 month or non-expiring password but at least 16 characters long. Complexity can go fly a kite. Those only cause users to write things down.

Long, with multiple plain text words not obviously related to something about the user

Of course I also follow good practices and do not reuse passwords across sites.

Carnival Boy

@g.jacobse said:
just four times a year. It is my belief that this is the longest it should go.

Why? Not disagreeing, I'm just interested in the logic behind anyone's reason on expiration days. Any number seems quite arbitrary to me. What's the difference between 60. 90, 180, 245.4 etc etc

tonyshowoff

@Carnival-Boy said:

Why? Not disagreeing, I'm just interested in the logic behind anyone's reason on expiration days. Any number seems quite arbitrary to me. What's the difference between 60. 90, 180, 245.4 etc etc

They're roughly equivalent to months in terms of number of days. something people can also associate with quarters of the year or some other thing.

tonyshowoff

@JaredBusch said:

I prefer a 12 month or non-expiring password but at least 16 characters long. Complexity can go fly a kite. Those only cause users to write things down.

Finally! For a long time I thought I was the only person who enforced this policy. Even as a part of GPO on our domains I set it as minimum of 12 (due to the entropy at the time), but basically turned down the complexity. Even some of the more non-technical users have extremely complex passwords now that they don't need to write down, because I encourage four random words with maybe a number or two between them.

And hey, if you wanna get inventive with the spelling, go ahead, if it's easier for you to remember, helps against broad dictionary attack as well. More experienced people will try cracking passwords with multiple words and even numbers, especially these days, but obviously even some crap like (3fOe38!45b is not only easy to crack, but also hard to remember, and I'm still baffled as to why this is encouraged. I'm sure you're aware of this, but I'm just saying it for people who may not realise that complex to remember does not mean complex to guess.