Will Dormann in exposing the half-measure Outlook patch also shows that more complex passwords with mixed-case letters plus digits and symbols is better than a simple long password.
The highest length of time to crack an 8 character password from NTLMv2 hash with a mere single mid-range GPU.
Longer passwords are better but you don’t need to go overboard. Adding just one more character to make a 9 char mixed-case, letters, digits and symbols increases the maximum time to solve from a year to 84 years!
That’s for a ‘brute force’ attack which tries all possible combinations.
Longer but not predictable
Any hacker will first try the still too common passwords like ‘password
‘, ‘1234567890
‘ or other combinations.
In practice, you should have a properly unique password with a Mixed-case letters, numbers and a symbol or two for example ‘St*ar*256
‘
Two factor is even better
Office-Watch.com has strongly pushed the use of two-factor authentication for the important accounts like email and banking including Microsoft, Google and Facebook logins.
Two-factor authentication is a better choice than a longer or more complex password.
Both our Office 2016 and Windows 10 books have chapters devoted to Microsoft Account security and especially step-by-step setup of two-factor authentication.