How are O365 passwords stored on servers and why are they limited to 16 characters ?

Occasional Visitor

Hello !


I am wondering how are O365 passwords stored on servers.

I guess they are SHA-2 hashed and then salted ... but then why are we limited to 16 characters ? I do not see any reason for that. Seriously.


Moreover, this low limit is not really part of the best practices ...

1 Reply

That limit only applies to cloud-created accounts, and it will soon be lifted afaik. In any case, the industry is moving into a direction where passwords are things of the past, and we get more and more stuff around MFA and passwordless auth.