Microsoft goes to great lengths to polish Azure Active Directory's password policies Doubtless with an eye on the current furore surrounding security and authentication, Microsoft has tweaked its Azure Active Directory policies to allow, er, longer passwords. The limitation has been a vexing one for administrators for some time, since User Principal Names (UPNs) could be up to 113 characters, but cloud users …
This will stop one of my biggest user complaints. When they have to change their password every sixty days they would soon get to ThatIsMyPassw9rd y the usual method of just adding '1' to the number each expiry date. Once there 'the cloud' does not accept ThatIsMyPassw10rd as it was too long so we had to reduce the previous password check down to the last 9 to allow them to roll back over to '0' again. Now they can keep going right up to ThisIsMyPassw99999999999999999...{241}rd.
We might even be able to get down to weekly password expiry now to make us super-safe.
My irritation with password systems is that they all have different requirements. I've seen a number that won't allow special characters, meaning I have to change the random generator in my password manager to make the password weaker.
Still, a 16 character maximum is daft. Glad it has finally been binned.
I say no. Ordinary text has about one bit's worth of variation per letter. And most password inputs would require that you are word and punctuation perfect. I'd predict you fluffing it even in a Shakespeare sonnet. "My mistress' eyes are nothing, like the sun."
My method is to take random generated letters and then invent a mnemonic for them. That makes them more memorable but not less random. Too bad if you get all X and Z, but you have that risk in Scrabble although there aren't so many of the tricky ones.
This post has been deleted by its author
20 characters is certainly not enough for any password generated by Diceware (which is the only way i know of generating truly random passwords).
AES-128 is fine though. It can't be brute-forced with computers the size of solar systems running for the current age of the universe. We only need AES-256 if anyone ever gets a quantum computer running with hundreds of qbits. (A quantum algorithm effectively halves the length of the key and something with a 64-bit key _can_ be brute forced by a sufficiently well resourced and motivated attacker.)
QM computation? I've often wondered if the current attempts will hit a probabilities problem.
IIRC QM computation outputs probabilities of the solution, and also may contain "noise". While we can reduce some of it, AFAIK no one has proposed reducing all of it. So for computation of QM/natural systems, it's fine, it converges to the average you wish to find in finite time, and the exact answer in infinite time.
I guess if you can get close enough to a AES-128 key then 1 or 2 bits incorrect and you can test a few 100 or 1000s iterations of the key, so long as it takes a short enough time to be economically viable and still useful.
There are types of key/encryption that are hardened against QM types of computation. I guess we will migrate to those (plus QM communications/key sharing as no actual "information" is sent through QM) as soon as a working prototype is shown by Google etc.
We wanted to make ours long but this was the issue. The other issue is, I don't know if this fixes it, is a space at the beginning of a password. AD accepts it, Azure doesn't. So I was trying to work out for a while why a user couldn't login to Outlook which ignores the AD version and looks at what it is on Azure.
Hilarious, that of all the required fields, "password" was limited to 16 characters.
I've got users who can't enter their last names with just 16 characters.
Real issue: Remembering and Typing Execution (of which 6 characters is probably too long)
Enigma had a non-randomness flaw, and was broken after a fortnight or so. But these "new" schemes are doomed to password failure right away, by "Forcing users to choose non-random passwords" -- i.e., "You cannot choose your characters at random, you must select mixed case and numeric and etc. etc." Is anyone listening? No, of course not. Back to your phone and sexting or whatnot. You're all doomed by gross ignorance.
"But these "new" schemes are doomed to password failure right away, by "Forcing users to choose non-random passwords" -- i.e., "You cannot choose your characters at random, you must select mixed case and numeric and etc. etc."
Which is why length of the password is substituted for the randomness of individual characters to increase entropy.
Your point is valid for excessively short passwords combined with rules like "one upper case, one lower case, one number and one symbol" but once you go beyond 30 characters, the entropy should still be sufficient to resist most brute force efforts and any common patters would still make it unlikely to simplify the search space significantly.
This assumes the password is in use for the coming 2-3 years and viable quantum computing that is orders of magnitude faster than current systems doesn't becomes available .
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
