windows-itpro-docs
windows-itpro-docs copied to clipboard
Password Max Length Guidance is No Longer Sufficient
As of March 2022, this page no longer meets the guidlines of NIST SP 800-62 Paragraph 5.1.1.2.
This guidance states "Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length."
It is recommended that the guidance from Microsoft is updated to reflect the NIST guidance.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 9bcaf30b-7304-6874-ba5d-791cc4d435d2
- Version Independent ID: 961def9f-094a-3d1e-82a4-bb152c2e5a1e
- Content: Minimum password length (Windows 10) - Windows security
- Content Source: windows/security/threat-protection/security-policy-settings/minimum-password-length.md
- Product: m365-security
- Technology: windows-sec
- GitHub Login: @Dansimp
- Microsoft Alias: dansimp
Thanks @DenkertM for the feedback. I'm checking with the content owner, as it looks like there's been some previous discussions around this setting. For example, see #6947 (which references several others).
@DenkertM thank you for your contribution. Can you please elaborate how the article is not reflecting the NIST guidelines? I just updated the article with "Set Minimum password length to at least a value of 8". I'm not sure if you were referring to that sentence.
✅ "Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length"
Windows also allows passwords longer that 64 characters in length, so it fulfills the second NIST requirement ✅"Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length."
The article that you are pointing out, is about Minimum password length.