Is it advisable according to Okta to have passwords shorter than 10 characters for AD-sourced user passwords?

Having passwords shorter than 10 characters for Active Directory (AD)-sourced user passwords is generally not advisable according to Okta's security best practices. Password length is a key factor in password strength; longer passwords are typically more resistant to various types of attacks, such as brute force attacks, which attempt to guess passwords through exhaustive trial and error.

The recommendation for a minimum password length, often set at 10 or more characters, is based on research indicating that longer passwords are exponentially harder to crack. This aligns with both industry standards and regulatory requirements that focus on securing user accounts and sensitive information.

Using a password policy that mandates a minimum length helps organizations ensure that users create stronger, more secure passwords, reducing the likelihood of unauthorized access. In this context, allowing passwords shorter than 10 characters undermines overall security efforts and puts users and the organization's data at greater risk.

Therefore, concluding that it is not advisable to have passwords shorter than 10 characters is consistent with best practices in password management and user authentication protocols.