Microsoft May Ban Your Favorite Password

Microsoft Banning Commonly Used Passwords and Adding Account Lockout Feature

Weak and commonly-used passwords are one of the main reasons online accounts can be easily compromised, but Microsoft is taking a step to better protect users by banning the use of such passwords across its services.

As data leaks have shown lately, people continue to use easy-to-guess passwords such as “123456” or “password” for their accounts, despite repeated warnings that this practice is incredibly risky. In March, security firm Rapid7 published the results of a year-long study and revealed that “x,” “Zz” and “[email protected]” are also highly preferred passwords.

Recently, a hacker offered to sell 167 million LinkedIn accounts, including 117 accounts with passwords, for only around $2,200 (5 bitcoins). The data, stolen in 2012, shows that “123456” was the most used password, occurring 753,305 times, which would be four times more than the next most common password, “linkedin,” at 172,523 occurrences.

Although the passwords were hashed, LinkedIn wasn’t salting them, meaning that many could be easily cracked, especially if they are weak passwords. Last month, 7 million Minecraft community “Lifeboat” accounts were impacted by a data leak that included weakly hashed passwords.

Accounts that leak on the dark web are accessed hundreds of times, a report from Bitglass revealed earlier this year, while the price of hiring a hacker to compromise an account with a popular email or social media service costs as little as $129, Dell SecureWorks found. 

To make sure that its users rely on unique, difficult to guess passwords, Microsoft says it is dynamically banning common passwords from Microsoft Account and Azure AD system. The company analyzes data breaches looking for the passwords that are used most often and prevents users from having a password that is found on attack lists (cybercriminals use passwords from these leaks to brute-force accounts).

In a blog post, Alex Weinert, Group Program Manager of Azure AD Identity Protection team, explains that Microsoft is seeing more than 10 million accounts being attacked each day, and that this data is used to dynamically update the list of banned passwords. This list is then used to prevent people from choosing a common or similar password. Available in Microsoft Account Service now, the feature will roll out to all Azure AD tenants in the next month.

In addition to banning commonly used passwords to improve user account safety, Microsoft has implemented a feature called smart password lockout, meant to add an extra level of protection when an account is attacked. Basically, the feature was designed to lock bad guys out of an account when they attempt to guess the password, even when they do so from the account owner’s PC or network.

“Of course, you already know that when our security system detects a bad guy trying to guess your password online, we will lock out the account. What you probably don’t know is that we do lots of work to make sure that they only lock themselves out! Our systems are designed for determining the risk associated with a specific login session. Using this, we can apply lockout semantics only to the folks who aren’t you,” Weinert explains.

In a recently published paper (PDF) called Microsoft Password Guidance, Robyn Hicock, Microsoft Identity Protection Team, provides a series of recommendations for password management, which include eliminating vulnerable passwords from the system, user education, and the use of multi-factor authentication, along with risk based multi-factor authentication challenges. Published mainly for users of Microsoft’s identity platforms (Azure Active Directory, Active Directory, and Microsoft accounts), the paper is certainly useful on any other platform.

The LinkedIn data breach is currently ranked as the largest in terms of affected accounts on the Have I Been Pwned service. The list shows the Adobe breach in the second position, with 152 million records exposed, followed by the Ashley Madison incident, which resulted in over 30 million accounts being compromised.