Password policy for all services assigned to a service user (Hosted Exchange, O365, Hosted Sharepoint etc) within the Control Panel are set to strong. When you apply strong password quality level, this mechanism will not allow admins/users to use passwords that do not meet the requirements defined for this level. If a password is weak, the error message will be shown. The password checking is performed every time a user enters or changes passwords.
The password quality mechanism distinguishes four types of keyboard characters that are used for password creation:
- Uppercase letter - the letter entered in the upper case. For example, 'A', 'V'.
- Lowercase letter - the letter entered in the lower case. For example, 'a', 'v'.
- Numerics - the digit character.They are 1,2,3,4,5,6,7,8,9 and 0.
- Special character - any non-alphanumeric character. For example, '#', '&', '!'.
The mechanism uses English vocabulary. It checks against commonly used words, as well as personal info provided for the account and does not allow to use them for some password quality levels.
Our password level:
Strong - The minimum length for the password is 7 characters of different types (uppercase and lowercase letters, numerics, special characters). Avoid using dictionary words, personal information and keyboard sequences.
The table below shows the password minimum string lengths (number of characters) depending on the character types used in it for a given password quality level.
4 character classes
3 character classes
2 character classes
1 character class
Minimum required password length
Note: Password is a pass phrase if it consists of at least 3 different words with digits special symbols as a delimiter between each pair of words. In this case, password may be 11 symbols long and consist of only two character classes.
Additional requirements for a password
Only printable ASCII characters are allowed within a password; using UNICODE is unacceptable.
Generally, basing a password on a login name is not allowed, but if the rest of the password is still strong enough then the whole password will be accepted.
When calculating the number of character types, upper-case letters used as the first character and digits used as the last character of a password are not counted. For example, the password 'Atu157!' will not work, because it starts with the upper-case 'A', though password 'aTu157!' will pass the quality check.
The password length contributes more to the password strength than a number of character classes used in it.
Weak passwords are listed below together with the messages displayed by POA:
- Password: 123
Message: The password is too short.
- Password: 1q2w3e4r
Message: Password of this length should contain more different character classes, like upper and lower case letters, numeric or special symbols. Passwords made of symbols of one character class are forbidden. Try making longer password or adding symbols of other types.
- Password: jjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
Message: The password is too simple. Ensure that the password does not contain repeated character sequences. Add characters of different classes, like upper and lower case letters, numeric or special symbols.
- Password: 1fish23.
Message: The password is word-based but too short for pass phrase. Either do not use words in password, or make it longer with characters of different classes, like upper and lower case letters, numeric or special symbols.
- Password: iAmadmin12
Message: The password is based on personal information.
- Password: abc1234.
Message: The password is based on common sequence of characters and it is not looks like a pass phrase. Avoid using keyboard key sequences. Add characters of different classes, like upper and lower case letters, numeric or special symbols.<