Microsoft Office 365 misses the mark with auto-expiring passwords.
I have been impressed with the way Microsoft Office 365 is working on my wife’s computer. Outlook synchronizes nicely with her Android phone and, until that incident with a loosely capped water bottle, with her iPad.
That changed last week, when she was traveling and unable to connect to Office 365’s Exchange Server to Send and Receive emails.
We tried resolving the connection issue, first via cell phone, then with gmailed links to some knowledgebase articles and, finally, with a LogMeIn session. Nothing was successful in connecting to Exchange.
Once I had her computer in front of me – and had time to do a little research – I discovered the culprit:
Microsoft’s default setting is to expire Office 365 user passwords after 90 days.
Now, I’ve been in IT long enough to know that users don’t always tell the truth, the whole truth and nothing but the truth. With nearly 27 years of marriage in the balance, I tactfully inquired if she had been presented any warnings regarding mandatory password changes. She swears she was not and I accepted that answer (and remain happily married to this day!).
I’m a vocal proponent of strong security, but not to the point of locking out users without warning.
I’ve also been in IT long enough to understand there’s a fine line between adequate and overbearing security. The best way to assure a potential password breach is to force users to periodically change them. Human nature will almost guarantee new passwords will be written on Post-It™ notes and stuck to Monitors or under Keyboards. Unless there are compelling reasons to do otherwise, I don’t force password changes on users.
With the culprit identified, I set about finding a way to change Microsoft’s default setting. The resolution required downloading and installing some special PowerShell tools and executing some lengthy command line instructions. Given that one of Office 365’s purported advantages is to firms that don’t have in-house IT support, who do they expect is going to dig that deep behind the curtain? Rhetorical question, of course. It probably never dawned on them.
I’ve busted Microsoft’s chops before for too lax of defaults (primarily, in Internet Explorer), so I won’t go so far as to say they should loosen their security in this case. I will; however, make the following suggestions:
IF you are going to expire passwords after 90 days by default:
1) ANNOUNCE that at the time an Office 365 account is created, and
2) REMIND users, multiple times, in advance, and
3) PROVIDE a method through the Admin Portal to easily override that setting.
We’ll know in 90 days, if my PowerShell commands achieved the desired effect.