Tag Archives: password policy

Microsoft’s BPOS password madness driving users to Google Apps

A friend uses Microsoft’s Exchange Online service for his small company. All was going well until one day he found himself locked out of his email. He had no idea why.

The reason, it turned out, was the password policy set by Microsoft and outlined here:

To help maintain security, you must periodically change your password. When you change your password, be aware of the following:

  • You cannot repeat your previous 24 passwords.
  • You must change your password at least once every 90 days.

In addition:

Microsoft Online Services uses an account lockout policy to help protect the accounts of service administrators and end users. The user can try to sign in to the Administration Center or the Sign In application five times. After five failed attempts with an invalid user name or an incorrect password, users are locked out for 15 minutes. This condition cannot be manually reset.

In this case, Microsoft’s PC sign-in applications prompted the user to change his password. He did so. All seemed well, except that his mobile – in which email settings are deeply buried – did not know about the password change and made repeated attempts to collect email. Result: lock-out, and a horrible user experience.

According to this thread, Microsoft has been so besieged with requests to remove the expiration policy that it solved them at a stroke: by refusing them all.

I find this curious. First, it is doubtful whether frequent password changes really enhance security. Users in this case need new non-repeating passwords every 90 days, which means they are more likely to be written down. Remember, you cannot repeat your previous 24 passwords.

Second, it is odd that BPOS admins do not have the ability to disable password expiration policies in their online management tools.

It may seem a small issue, but for some it is a deal-breaker:

At this moment it is not possible to disable password expiration at all. I opened a ticket and technical support told me multiple times they won’t offer that option anymore… It’s disappointing since I lose customers who choose Google Apps over Microsoft Online just because of the password issue.

Apparently this may be fixed in the forthcoming Office 365.