A strong password is important and the newest guidance is that longer is better and length is more important than complexity.
Office 365 (Azure Active Directory) lags somewhat in that complexity is still favored. More frustrating is that there is actually a 16 character limit on password length. Even more frustrating is that it isn’t well explained when setting or changing a password.
If you’ve seen an error like the one below, what it should say is “at least 8 but not more than 16 characters…”
If you try to use more than 16 characters you’ll see the message above. It will not change to say “you may not use more than 16 characters.”
I’ve personally struggled and witnessed others who are IT professionals get stuck on this prompt when attempting to use a password longer than 16 characters.
Be aware of this limitation learn more detail about Azure AD password policies here.
Also, multi-factor authentication is available and is an excellent way to increase security.