While using https://login.microsoftonline.com/common/login I was prompted to update my password for a test account I was using.
The Update Your Password prompt read:
You need to update your password because this is the first time you are signing in, or because your password has expired.
No problem. So I entered my Current password and my new password twice, like so:
- Current Password: gesunTYE:?\^
- New Password: knsuqttgwhdTUTDZSJ637-!/-=#*#`|
- Confirm Password: knsuqttgwhdTUTDZSJ637-!/-=#*#`|
Notice that I wanted to increase my Office 365 password from 12 semi-random characters to 32 semi-random characters. Strangely, Microsoft didn’t like my new password even though I meet all of their stated requirements.
The Update Your Password prompt then read:
Your new password must have at least 8 characters and can’t contain your user ID. It must contain at least three of the following: uppercase letters, lowercase letters, numbers, and symbols.
That’s strange. My new 32-character password meets all of these requirements:
- It is 32-characters
- It does not contain my user ID
- It contains 7 uppercase letters
- It contains 11 lowercase letters
- It contains 3 numbers
- And it contains 11 symbols
The following passwords also did not work:
Maybe one of the unstated requirements is that my password is too long. It wasn’t until I shorted my password to just 16 semi-random characters was I able to proceed.
Microsoft, I suggest you state this requirement by re-writing your prompt to read:
Your new password must have at least 8 characters, fewer than 17 characters, and can’t contain your user ID. It must contain at least three of the following: uppercase letters, lowercase letters, numbers, and symbols.
It would be helpful if all of the requirements were properly stated by Microsoft. It would be even better if there was not a maximum password length. Simply salt and hash my password to your desired length before storing it — then you should not care how many characters I decided to use.