Side note, the PDF contains no (visible) version information or date :-(
Please, if you publish guidance, especially if you are an influential company, include a date in your documents. I treat a guidance form 2016 differently than a guidance from 2023
Back to the recommendations. Most of the are solid but some stick out
Maintain an 8-character minimum
That seem awfully short. #NIST states "Longer is better", the #HPI recomend 15+ characters and, wait for it Microsoft themself recommends 12 or better 14+ characters.
Ban common passwords, to keep the most vulnerable passwords out of your system.
The NIST recommendation check against "commonly used and compromised passwords" considerably extends this!
Microsoft at other places recommends "Not a word that can be found in a dictionary or the name of a person, character, product, or organization."
Educate your users not to re-use their password for non-work-related purposes.
Work related reuse is OK????
I would love to know if #Microsoft internally really follows these password rule. Or if they enforce a more strict set. If anyone knows about this, please let me know (but don't if this would gt you fired)