Windows-itpro-docs: Password requirements
Any idea why you still advice on a complex password in this guideline, while the Microsoft Password guidance advices otherwise? https://www.microsoft.com/en-us/research/publication/password-guidance/
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: a6d4df3f-ba2f-c45d-58bc-790d79c449a3
- Version Independent ID: 6210761c-668f-29f4-c50d-feec32bddbf4
- Content: Level 5 enterprise security configuration
- Content Source: windows/security/threat-protection/windows-security-configuration-framework/level-5-enterprise-security.md
- Product: w10
- Technology: windows
- GitHub Login: @appcompatguy
- Microsoft Alias: appcompatguy
alwaysautomateit
All 8 comments
My take on this question is to look at the scope of the separate documentation pieces:
- Level 5 enterprise security configuration
This document concerns Enterprise devices with a Level 5 policy requirement, hence the more rigid password requirements. - Microsoft Password Guidance
This document concerns general password advice for internet exposure, but also tries to educate more users in general.
#include <std_disclaimer.h>
This is my personal view and does not necessarily reflect anyone else's opinion (neither my employer nor Microsoft).
illfated
on 12 Apr 2019
Understood - the reason why I'm asking this is because it is a returning discussion I have both internally and with my customers. Also, the NIST Password policy hints going towards password phrases.
alwaysautomateit
on 12 Apr 2019
Yes, I have noticed that some ISPs also do this - use generated phrases separated by dashes, randomizing the amount of Capitalized and non-capiltalized words, as well as numbers.
illfated
on 12 Apr 2019
My take on this question is to look at the scope of the separate documentation pieces:
Both are aimed at enterprises/education, and are quite contradictory in various ways.
BR77BE
on 12 Apr 2019
Great observation!
The SecCon guidance is intentionally aligned with the Windows Security Baselines (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) - for precisely the reasons the thread points out: we shouldn't be providing conflicting guidance across documentation sources.
We are in the process of finalizing the baseline for 19H1 and are asking these hard questions. We look to incorporate the latest research, and also the latest tools (such as Azure AD Password Protection - https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises). We also have a work item to incorporate guidance on using MFA tools such as Windows Hello. There is no one "right" answer (which makes baselines harder to build) but we want to provide guidance that aligns permutations of tools so you end up with a suggested and appropriate level of security, where sometimes there may be multiple choices.
We will be updating SecCon around the time that the 19H1 baselines are released and you should see some updates at that point - let us know how we did and where we could still improve!
appcompatguy
on 12 Apr 2019
@officedocsbot assign @mypil
mypil
on 1 May 2019
@alwaysautomateit - Thank you for submitting feedback.
From our understanding, the issue has been answered by illfated, BR77BE and appcompatguy. If you feel it hasn't been resolved please re-open this issue.
Thank you for engaging with the community here for the docs.
mypil
on 1 May 2019
@officedocsbot close
mypil
on 6 May 2019
Related issues
zjalexander
·
3Comments
ATR-Master
·
3Comments
ruffy91
·
3Comments
marcnil815
·
3Comments
RAJU2529
·
3Comments
Most helpful comment
Great observation!
The SecCon guidance is intentionally aligned with the Windows Security Baselines (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) - for precisely the reasons the thread points out: we shouldn't be providing conflicting guidance across documentation sources.
We are in the process of finalizing the baseline for 19H1 and are asking these hard questions. We look to incorporate the latest research, and also the latest tools (such as Azure AD Password Protection - https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises). We also have a work item to incorporate guidance on using MFA tools such as Windows Hello. There is no one "right" answer (which makes baselines harder to build) but we want to provide guidance that aligns permutations of tools so you end up with a suggested and appropriate level of security, where sometimes there may be multiple choices.
We will be updating SecCon around the time that the 19H1 baselines are released and you should see some updates at that point - let us know how we did and where we could still improve!