Skip to main content
https://www.microsoft.com/en-us/research/publication/password-guidance

This paper provides Microsoft’s recommendations for password management based on current research and lessons from our own experience as one of the largest Identity Providers (IdPs) in the world. It covers recommendations for end users and identity administrators. Microsoft sees over 10 million username/password pair attacks every day. This gives us a unique vantage point …

https://www.microsoft.com/.../wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf

Microsoft Password Guidance Robyn Hicock, rhicock@microsoft.com Microsoft Identity Protection Team Purpose This paper provides Microsoft’s recommendations for password management based on current research

https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations

Password guidance for your users. Here's some password guidance for users in your organization. Make sure to let your users know about these recommendations and enforce the recommended password policies at the organizational level. Don't use a password that is the same or similar to one you use on any other websites.

https://docs.microsoft.com/.../password-must-meet-complexity-requirements

A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments. The use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in additional Help Desk requests.

https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy

Password Complexity. Password complexity policies are designed to deter brute force attacks by increasing the number of possible passwords. When password complexity policy is enforced, new passwords must meet the following guidelines: The password does not contain the account name of the user. The password is at least eight characters long.