How many characters should have a password in order to be considered safe?
Office 365 limits the password length for users not synchronized with on-premise Active Directories to 16 characters. Can this considered to be safe?
Office 365 administrators need to be aware of the fact that the new Administrative Tools do not show a warning when a new user is created. When pasting an initial password into the textbox, no warning is displayed. But the password itself has already shortened to 16 characters automatically.
The summary page shows the shortened password after the new user has been created. The administrator needs to pay proper attention to the status summary to notice the shortened password.
When logging in for the first time the user experience is different. The user is notified that the password cannot exceed 16 characters.
Microsoft should rethink the limitation of 16 characters to enhance the security level for user login.
In May 2019 Microsoft introduced a change to Azure AD to support password with 256 characters in length.