Passwords - Bad Policy

Passwords - Bad Policy

I recently attempted to change my password from the simple dictionary password originally given to me, to a real secure password. Only to be told 13 characters max?!? Really? 13 MAX?! 

This leads me to conclude that the password standards are lax and one or more of the following are likely true:
the passwords are being stored in the clear
the passwords are not being hashed correctly (salted)

It cannot be that you are concerned with storage, or computational overhead.

I would argue that if my password is 64 characters of gibberish (using all character sets) that I would not have to change my password every 60 days (though it wouldn't hurt). There is no point in enforcing rules on a weak olicy. If the password is max 13 characters, then even generating a brute force attack will take MAGNITUDES of centuries LESS than if I could use a REAL password.

If you were storing the password correctly, it wouldnt matter if the password I entered was more than 13 characters, because if it were being hashed and salted SHA 256, then the result would be 64 characters, (is that right, I may be rusty there...)

I ask you change your rules and review your policy. If 'this' is a third party entrusted with other people/companies security, do it right.
Regards,
Robert Huttinger

        New to M365 Manager Plus?
        New to M365 Manager Plus?
          New to RecoveryManager Plus?
          New to RecoveryManager Plus?
            New to Exchange Reporter Plus?
            New to Exchange Reporter Plus?
              New to SharePoint Manager Plus?
              New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                        Related Products