About User Passwords

Topic Last Modified: 2013-01-11

This topic defines the parameters of a strong password and provides information about password management. Service administrators can manage all users' passwords in the Microsoft Online Services Administration Center, including password resets. End users manage their own passwords in the Microsoft Online Services Sign In application or My Company Portal.

Strong Passwords

All Microsoft Online Services require strong passwords to help protect users and their information. These are the requirements of a strong password:

  • It is 8 to 16 characters long.
  • It cannot contain Unicode characters.
  • It must contain characters from at least three of these four categories:
    • Uppercase letters: A-Z
    • Lowercase letters: a-z
    • Numerals: 0,1,2,3,4,5,6,7,8,9
    • Non-alphanumeric characters: ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : " ; ' < > ? , . /
Your password should not contain your user name or your display name.

Password Reset Policy

To help maintain security, you must periodically change your password. When you change your password, be aware of the following:

  • You cannot repeat your previous 24 passwords.
  • You must change your password at least once every 90 days.
  • You cannot change your own password more than once in 24 hours.
  • My Company Portal warns you 14 days before your password expires.
  • The Sign In application warns end users 14 days before their password expires.
  • If your password expires, you are prompted to change it when you sign in to the Administration Center, My Company Portal, or the Sign In application.
  • Passwords can be reset only in the Administration Center, My Company Portal, or the Sign In application.
  • Temporary passwords cannot be used or reset in Microsoft Office Outlook Web Access.

Lockout Policy

Microsoft Online Services uses an account lockout policy to help protect the accounts of service administrators and end users. The user can try to sign in to the Administration Center or the Sign In application five times. After five failed attempts with an invalid user name or an incorrect password, users are locked out for 15 minutes. This condition cannot be manually reset.

The lockout policy helps guard against malicious attacks by unauthorized users. After 15 minutes, the user can try to sign in again with the correct user name and password. If the user cannot remember the password, a service administrator can reset the user's password in the Administration Center. For more information, see Reset a User's Password.

For administrator accounts, we recommend that you create a second service administrator as soon as your company is provisioned. That way, if your primary account is locked out for any reason, you can use the secondary account to reset the primary account's password. For more information, see Add an Account with Administrator Permissions.

Passwords and the Sign In Application

After a successful sign-in, end users can change their own passwords in the Sign In application. Direct your users to the Options tab of the Sign In application.

As the service administrator, you can change your password in either the Sign In application or the Administration Center.