パスワード ポリシーの推奨事項Password policy recommendations

As the admin of an organization, you're responsible for setting password policy for users in your organization.As the admin of an organization, you're responsible for setting password policy for users in your organization. Setting password policy can be complicated and confusing, and this article provides recommendations to make your organization more secure against password attacks.Setting password policy can be complicated and confusing, and this article provides recommendations to make your organization more secure against password attacks.

組織で Microsoft 365 パスワードが期限切れとなる頻度を決める場合は、「Microsoft 365 のパスワード有効期限ポリシーを設定する」を参照してください。To determine how often Microsoft 365 passwords expire in your organization, see Set password expiration policy for Microsoft 365.

Microsoft 365 パスワードの詳細については、これらの関連記事を参照してください。For more information about Microsoft 365 passwords, see these related articles.

パスワードの推奨事項についてUnderstanding password recommendations

適切なパスワード手法は、次のようないくつかのカテゴリに大きく分けられます。Good password practices fall into a few broad categories:

  • 一般的な攻撃に対抗する これは、ユーザーがパスワードを入力する場所 (マルウェアを適切に検出できる既知の信頼できるデバイス、検証済みサイト) の選択、およびパスワード (長さと一意性) の選択に関係します。Resisting common attacks This involves the choice of where users enter passwords (known and trusted devices with good malware detection, validated sites), and the choice of what password to choose (length and uniqueness).

  • Containing successful attacks Containing successful hacker attacks is about limiting exposure to a specific service, or preventing that damage altogether, if a user's password gets stolen.Containing successful attacks Containing successful hacker attacks is about limiting exposure to a specific service, or preventing that damage altogether, if a user's password gets stolen. For example, ensuring that a breach of your social networking credentials doesn't make your bank account vulnerable, or not letting a poorly guarded account accept reset links for an important account.For example, ensuring that a breach of your social networking credentials doesn't make your bank account vulnerable, or not letting a poorly guarded account accept reset links for an important account.

  • Understanding human nature Many valid password practices fail in the face of natural human behaviors.Understanding human nature Many valid password practices fail in the face of natural human behaviors. Understanding human nature is critical because research shows that almost every rule you impose on your users will result in a weakening of password quality.Understanding human nature is critical because research shows that almost every rule you impose on your users will result in a weakening of password quality. Length requirements, special character requirements, and password change requirements all result in normalization of passwords, which makes it easier for attackers to guess or crack passwords.Length requirements, special character requirements, and password change requirements all result in normalization of passwords, which makes it easier for attackers to guess or crack passwords.

管理者向けのパスワード ガイドラインPassword guidelines for administrators

The primary goal of a more secure password system is password diversity.The primary goal of a more secure password system is password diversity. You want your password policy to contain lots of different and hard to guess passwords.You want your password policy to contain lots of different and hard to guess passwords. Here are a few recommendations for keeping your organization as secure as possible.Here are a few recommendations for keeping your organization as secure as possible.

  • 8 桁の最小長要件を維持する (長ければよいとは限りません)Maintain an 8-character minimum length requirement (longer isn't necessarily better)

  • Don't require character composition requirements.Don't require character composition requirements. For example, *&(^%$For example, *&(^%$

  • ユーザー アカウントの必須の定期的なパスワード リセットを求めないDon't require mandatory periodic password resets for user accounts

  • 最も脆弱なパスワードがシステムで使用されないように、よく使われるパスワードを禁止するBan common passwords, to keep the most vulnerable passwords out of your system

  • 業務以外の目的で組織のパスワードを再利用しないようにユーザーを教育するEducate your users to not re-use their organization passwords for non-work related purposes

  • [多要素認証](../security-and-compliance/set-up-multi-factor-authentication.md)の登録を適用するEnforce registration for [multi-factor authentication](../security-and-compliance/set-up-multi-factor-authentication.md)
  • リスク ベースの多要素認証チャレンジを有効にするEnable risk-based multi-factor authentication challenges

ユーザー向けパスワード ガイダンスPassword guidance for your users

Here's some password guidance for users in your organization.Here's some password guidance for users in your organization. Make sure to let your users know about these recommendations and enforce the recommended password policies at the organizational level.Make sure to let your users know about these recommendations and enforce the recommended password policies at the organizational level.

  • 他の Web サイトで使用しているものと同じ、または似たようなパスワードは使用しないDon't use a password that is the same or similar to one you use on any other websites

  • 1 単語 (たとえば、 password や、 Iloveyou などのよく使われるフレーズ) は使用しないDon't use a single word, for example, password, or a commonly-used phrase like Iloveyou

  • 友だちと家族の名前と誕生日、お気に入りのバンド、使用しそうなフレーズなど、自分のことをよく知る人でもパスワードを簡単に推測できないようにするMake passwords hard to guess, even by those who know a lot about you, such as the names and birthdays of your friends and family, your favorite bands, and phrases you like to use

一般的ないくつかの方法とその悪影響Some common approaches and their negative impacts

以下は最もよく使われるパスワードの管理手法の一部ですが、調査ではその悪影響について警告しています。These are some of the most commonly used password management practices, but research warns us about the negative impacts of them.

ユーザー向けパスワードの有効期限の要件Password expiration requirements for users

Password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers which are closely related to each other.Password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers which are closely related to each other. In these cases, the next password can be predicted based on the previous password.In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cyber criminals almost always use credentials as soon as they compromise them.Password expiration requirements offer no containment benefits because cyber criminals almost always use credentials as soon as they compromise them.

長いパスワードを要求するRequiring long passwords

Password length requirements (greater than about 10 characters) can result in user behavior that is predictable and undesirable.Password length requirements (greater than about 10 characters) can result in user behavior that is predictable and undesirable. For example, users who are required to have a 16-character password may choose repeating patterns like fourfourfourfour or passwordpassword that meet the character length requirement but aren't hard to guess.For example, users who are required to have a 16-character password may choose repeating patterns like fourfourfourfour or passwordpassword that meet the character length requirement but aren't hard to guess. Additionally, length requirements increase the chances that users will adopt other insecure practices, such as writing their passwords down, re-using them, or storing them unencrypted in their documents.Additionally, length requirements increase the chances that users will adopt other insecure practices, such as writing their passwords down, re-using them, or storing them unencrypted in their documents. To encourage users to think about a unique password, we recommend keeping a reasonable 8-character minimum length requirement.To encourage users to think about a unique password, we recommend keeping a reasonable 8-character minimum length requirement.

複数の文字セットの使用を要求するRequiring the use of multiple character sets

Password complexity requirements reduce key space and cause users to act in predictable ways, doing more harm than good.Password complexity requirements reduce key space and cause users to act in predictable ways, doing more harm than good. Most systems enforce some level of password complexity requirements.Most systems enforce some level of password complexity requirements. For example, passwords need characters from all three of the following categories:For example, passwords need characters from all three of the following categories:

  • 大文字uppercase characters

  • 小文字lowercase characters

  • 英数字以外の文字non-alphanumeric characters

Most people use similar patterns, for example, a capital letter in the first position, a symbol in the last, and a number in the last 2.Most people use similar patterns, for example, a capital letter in the first position, a symbol in the last, and a number in the last 2. Cyber criminals know this, so they run their dictionary attacks using the most common substitutions, "$" for "s", "@" for "a," "1" for "l".Cyber criminals know this, so they run their dictionary attacks using the most common substitutions, "$" for "s", "@" for "a," "1" for "l". Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect.Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.

成功パターンSuccessful Patterns

上記のものとは対照的に、パスワードに多様性を持たせる推奨事項をいくつか以下に示します。In contrast, here are some recommendations in encouraging password diversity.

よく使われるパスワードを禁止するBan common passwords

The most important password requirement you should put on your users when creating passwords is to ban the use of common passwords to reduce your organization's susceptibility to brute force password attacks.The most important password requirement you should put on your users when creating passwords is to ban the use of common passwords to reduce your organization's susceptibility to brute force password attacks. Common user passwords include, abdcefg, password, monkey.Common user passwords include, abdcefg, password, monkey.

組織のパスワードを他の場所で再利用しないようにユーザーを教育するEducate users to not re-use organization passwords anywhere else

One of the most important messages to get across to users in your organization is to not re-use their organization password anywhere else.One of the most important messages to get across to users in your organization is to not re-use their organization password anywhere else. The use of organization passwords in external websites greatly increases the likelihood that cyber criminals will compromise these passwords.The use of organization passwords in external websites greatly increases the likelihood that cyber criminals will compromise these passwords.

多要素認証の登録を適用するEnforce Multi-Factor Authentication registration

Make sure your users update contact and security information, like an alternate email address, phone number, or a device registered for push notifications, so they can respond to security challenges and be notified of security events.Make sure your users update contact and security information, like an alternate email address, phone number, or a device registered for push notifications, so they can respond to security challenges and be notified of security events. Updated contact and security information helps users verify their identity if they ever forget their password, or if someone else tries to take over their account.Updated contact and security information helps users verify their identity if they ever forget their password, or if someone else tries to take over their account. It also provides an out of band notification channel in the case of security events such as login attempts or changed passwords.It also provides an out of band notification channel in the case of security events such as login attempts or changed passwords.

詳細については、「Office 365 ユーザー用の多要素認証を設定する」を参照してください。To learn more, see Set up multi-factor authentication.

リスク ベースの多要素認証を有効にするEnable risk-based multi-factor authentication

リスク ベースの多要素認証では、Microsoft のシステムで不審な動作が検出されたときに、正当なアカウント所有者であることを確認するためにユーザーに対してチャレンジを実行することができます。Risk-based multi-factor authentication ensures that when our system detects suspicious activity, it can challenge the user to ensure that they are the legitimate account owner.

パスワードをリセットするReset passwords

個別のユーザーのパスワードを無期限に設定するSet an individual user's password to never expire

ユーザーが自分でパスワードをリセットできるようにするLet users reset their own passwords

ユーザーのパスワードを再送信する - 管理者向けヘルプResend a user's password - Admin Help