I am wondering how are O365 passwords stored on servers.
I guess they are SHA-2 hashed and then salted ... but then why are we limited to 16 characters ? I do not see any reason for that. Seriously.
Moreover, this low limit is not really part of the best practices ...
That limit only applies to cloud-created accounts, and it will soon be lifted afaik. In any case, the industry is moving into a direction where passwords are things of the past, and we get more and more stuff around MFA and passwordless auth.