While using https://login.microsoftonline.com/common/login I was prompted to update my password for a test account I was using.
The Update Your Password prompt read:
You need to update your password because this is the first time you are signing in, or because your password has expired.
No problem. So I entered my Current password and my new password twice, like so:
- Current Password: gesunTYE:?\^
- New Password: knsuqttgwhdTUTDZSJ637-!/-=#*#`|
- Confirm Password: knsuqttgwhdTUTDZSJ637-!/-=#*#`|
Notice that I wanted to increase my Office 365 password from 12 semi-random characters to 32 semi-random characters. Strangely, Microsoft didn’t like my new password even though I meet all of their stated requirements.
The Update Your Password prompt then read:
Your new password must have at least 8 characters and can’t contain your user ID. It must contain at least three of the following: uppercase letters, lowercase letters, numbers, and symbols.
That’s strange. My new 32-character password meets all of these requirements:
- It is 32-characters
- It does not contain my user ID
- It contains 7 uppercase letters
- It contains 11 lowercase letters
- It contains 3 numbers
- And it contains 11 symbols
The following passwords also did not work:
- bkdfqnyzjNAGPUNSVHDT839345?..-@(
- .!:,/?(/gpmmmcrpUWDFDWYBUUHYH654
- 2946103671092788((,’`%+[=^dmhJM
Maybe one of the unstated requirements is that my password is too long. It wasn’t until I shorted my password to just 16 semi-random characters was I able to proceed.
Microsoft, I suggest you state this requirement by re-writing your prompt to read:
Your new password must have at least 8 characters, fewer than 17 characters, and can’t contain your user ID. It must contain at least three of the following: uppercase letters, lowercase letters, numbers, and symbols.
It would be helpful if all of the requirements were properly stated by Microsoft. It would be even better if there was not a maximum password length. Simply salt and hash my password to your desired length before storing it — then you should not care how many characters I decided to use.
Thanks, this post solved it for me. I swear sometimes MS seems so incompetent on simple things like this. Post ALL of the password requirements, Microsoft.
Thank you for posting this, Jason! I ran into this “glitch” today and it almost made me crazy. Your suggestion regarding the prompt revision is a good one. Hopefully the MS folks will take the cue.
Thank you. I just ran into this issue too.
Arbitrary password rules like this are crazy, and Microsoft have seriously reduced the work necessary to attack one of these passwords.
An attacker will know that any password must be at least 12 characters long, containing 3 lowercase, 3 uppercase, 3 numbers, and 3 symbols, and also the password is at most 16 characters long.
I work at MS and I’ve informed the engineering team. Sorry for any inconvenience this has caused and thank you for providing a solution and raising the issue.
Thanks Jason. You saved my day ;-)
Thanks for this post. Just spent an hour jacking around with this (including launching a Windows VM to use IE just in case it was a browser issue). Microsoft – wasting my time and preventing application of security best practices. Ridiculous.
Thank you! It’s disconcerting that the bug still isn’t fixed.