How are O365 passwords stored on servers and why are they limited to 16 characters ?

Highlighted
Occasional Visitor

Hello !

 

I am wondering how are O365 passwords stored on servers.


I guess they are SHA-2 hashed and then salted ... but then why are we limited to 16 characters ? I do not see any reason for that. Seriously.

 

Moreover, this low limit is not really part of the best practices ...

1 Reply
Highlighted

That limit only applies to cloud-created accounts, and it will soon be lifted afaik. In any case, the industry is moving into a direction where passwords are things of the past, and we get more and more stuff around MFA and passwordless auth.