Why do I see a message that my password does not meet password policy requirements?

When changing or resetting the password for your MC domain/CUIMC email account, you will see this message if the new password you entered matches a global banned password list that was implemented at CUIMC in early October. The list blocks known common passwords and variations, such as substituting the character "@" for the letter "a" in a word.

When selecting a new password, if you see the message:
The password does not meet the password complexity requirements. Check the minimum password length, password complexity and password history requirements. (Exception...)
Try using less common words and character substitutions in your password. Using a phrase as a password will often work since these are not as common as a single word or name, and in general longer passwords are more secure. If you are still not able to select a new password please see current full instructions for changing or resetting your password, or contact us for assistance.

More About the Global Banned Password List

The list is part of a security feature called Password Protection that we have implemented for MC/CUIMC email accounts, which use a Microsoft platform called Azure Active Directory (AD). Both Azure AD and Password Protection are widely used at other organizations and companies for login accounts. Detailed technical information is here, but in short Microsoft analyzes data to determine "base terms that are often used as the basis for weak passwords" and adds them to the banned list.

When a desired password is checked against the global banned password list, it goes through a number of steps to rank its strength.

  1. "Normalization" to protect against common character substitutions, such as changing P@ssw0rd to password.
  2. "Fuzzy matching" uses other types of logic, such as common typos or increments (ex: instead of "abcdef", trying "abcdeg") to further protect against common or potential alterations
  3. "Substring matching" to check for things like your first and last name or common variations

The checks generate a score for the desired password, and if it does not pass the minimum score it cannot be used.