Microsoft has come up with
recommendations for password management based on current research and lessons
from their own experience as one of the largest Identity Providers (IdPs) in the
world. It covers recommendations for end users and identity administrators.
Microsoft sees over 10 million
username/password pair attacks every day. This gives Microsoft a unique vantage point
to understand the role of passwords in account takeover. The guidance provided here is scoped to users of Microsoft’s identity platforms (Azure Active
Directory, Active Directory, and Microsoft account) though it generalizes to
Summary of Recommendations
Advice to IT Administrators
Azure Active Directory and
Active Directory allow Enterprises to support these recommendations:
1. Maintain an 8-character
minimum length requirement (and longer is not necessarily better).
3. Eliminate mandatory periodic
password resets for user accounts.
4. Ban common passwords, to
keep the most vulnerable passwords out of your system.
5. Educate your users not to
re-use their password for non-work-related purposes.
6. Enforce registration for
7. Enable risk based
multi-factor authentication challenges.
Advice to Users
Create a unique password for your Microsoft account
The security of your
Microsoft account is important for several reasons. Personal, sensitive
information may be associated to the user account such as their emails, contacts,
and photos. In addition, other services may rely on their email address to
verify their identity. If someone gains access to their email, they may be able
to take over the user's other accounts too (like banking and online shopping) by
resetting their passwords by email.
User Tips for creating a strong
and unique password:
Don’t use a password that is the same or similar to one you use on any other website. A cybercriminal who can break into that website can steal your password from it and use it to steal your Microsoft account.
Don’t use a single word (e.g. “princess”) or a commonly-used phrase (e.g. “Iloveyou”).
Do make your password hard to guess even by those who know a lot about you (such as the names and birthdays of your friends and family, your favorite bands, and phrases you like to use).
Keep the security info up to date
Current security info (like an alternate email address or
phone number) helps us to verify the user's identity if they forget their password or
if someone else tries to take over their account. Microsoft never uses this info to spam
the user or to try to sell them something.
Watch for suspicious activity
The Recent activity page helps the user to track unusual or
suspicious activity. The user can see their latest sign-ins and changes to their
account. If they see something wrong or unfamiliar, they can click "This wasn’t
me" and Microsoft will take the user through a few steps to change their password and
review the security info on their account.
Turn on two-step verification
Two-step verification boosts account security by making it
more difficult for hackers to sign in—even if they know or guess the user's password.
If the user turns on two-step verification and then try to sign in
on a device Microsoft doesn’t recognize, Microsoft will ask the user for two things:
The user's password.
An extra security code.
Microsoft can send a new security code to the user's phone or their
alternate email address, or they can get one through an authenticator app on
Keep the operating system, browser, and other software up to date
Most service and app providers release security updates that
can help protect users' devices. These updates help prevent viruses and other
malware attacks by closing possible security holes.
If the user is using Windows, in order to receive these updates
automatically, he / she has turn on Windows Update.
Be careful of suspicious emails and websites
The users are advised not to open email messages from unfamiliar senders or email
attachments that they don't recognize. Viruses can be attached to email messages
and might spread as soon as they open the attachment. It's best not to open an
attachment unless they expected to receive it. They should also be careful when
downloading apps or other files from the Internet, and make sure they recognize
Install an antivirus program on your computer
Hackers can steal passwords through malware (malicious
software) that's been installed on users' computer without their knowledge. For
example, sometimes malware is maliciously downloaded with something they do
want, like a new screen saver. The user has to take the time to check and clear their computer
of viruses or malware before they change their password.
Is your computer running Windows?
Great! Windows Defender is free anti-malware software
built-in to Windows 8 and Windows 10. It updates automatically through Windows
Update. If the user is running an earlier version of Windows, they can download and
install Microsoft Security Essentials for free.
After the user installs an antivirus program, they should set it to
regularly get updates and scan their computer.
Gleaned from a paper from - Microsoft Identity