Microsoft seeks to mitigate laziness by banning popular passwords

Old man Redmond looks to prevent "LinkedIn"-style debacle by preventing users from choosing popular passwords.

Will "Microsoft" be on the password blacklist?
Will "Microsoft" be on the password blacklist?

Microsoft says it will stop users from choosing easily guessable passwords in a bid to prevent a repeat of the recently resurfaced LinkedIn fiasco.

The 2012 LinkedIn data breach may be the one that just keeps on giving with the news last week that 117 million customer email credentials originating from that hack were found for sale on the dark web.

Alex Simons, director of programme management for identity services at Microsoft, said in an Active Directory blog post that his firm will try to avoid the same thing happening to it by preventing users from making lazy choices in passwords.

The weaknesses with allowing users to choose any password – or PIN code – they wish is that users are notorious for choosing badly. A blog post on Datagenetics.com demonstrated, through an analysis of PIN numbers, that an attacker need only try the 20 most common PIN codes to crack more than 25 percent of user accounts.

Simons believes there were simple ways which organisations and IT admins could stop users making such awful choices.

“Based on the latest research, there are some straightforward, concrete steps you can take as a user or as an administrator to help protect your accounts," said Simons. "And we've got some great features in AzureAD and the Microsoft Account service that can help you."

He added, somewhat unsurprisingly, that ‘123456' and ‘password' were terrible passwords to use, hence the belated ban.

He said that the most important thing to keep in mind when selecting a password is to choose one that is unique, and therefore hard to guess.

“We help you do this in the Microsoft Account and Azure AD system by dynamically banning commonly used passwords," he said.

"When it comes to big breach lists, cyber criminals and the Azure AD Identity Protection team have something in common: we both analyse the passwords being used most commonly.

"Bad guys use this data to inform their attacks, trying to brute-force accounts by trying popular passwords against them. What we do with the data is prevent you having a password anywhere near the current attack list so those attacks won't work."

The new edict will affect users with Microsoft account usernames followed by Azure AD account holders.

Graham Fletcher, associate partnership at  Citihub Consulting told SCMagazineUK.com that this is a good step in the right direction from Microsoft.

“The simple fact is that most password policies are no longer adequate to prevent your account getting hacked,” he said.

He added that many people struggle to remember complex passwords and have to use different passwords on various websites, one possible way forward would be to use pass phrases.

“A pass phrase is a random collection of words (they can even be dictionary words) that you can remember but won't be easily guessed, e.g., ‘black sunday pepper morning'. It's long and hard to match or guess so very secure. It might take a bit longer to type but you don't need to go searching for special characters and stuff. Even ‘black Sunday' is a reasonable password. There are password entropy checkers online that can give you a good idea of relative password strength.”

Andrew Tang, service director of security at MTI, told SC that there is very little risk with the initiative.

“We are trusting Microsoft to store and secure that password, as it will need to be check every time it's used.  Like all other systems, it's just an algorithm to check how the password is structured.”

He added that if the complexity increases too much, passwords will be written down by the users. “The user needs to consider a move to a secure password vault, or the supplier needs to look to two-factor authentication.”