Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Microsoft May Ban Your Favorite Password

Microsoft Banning Commonly Used Passwords and Adding Account Lockout Feature

Weak and commonly-used passwords are one of the main reasons online accounts can be easily compromised, but Microsoft is taking a step to better protect users by banning the use of such passwords across its services.

Microsoft Banning Commonly Used Passwords and Adding Account Lockout Feature

Weak and commonly-used passwords are one of the main reasons online accounts can be easily compromised, but Microsoft is taking a step to better protect users by banning the use of such passwords across its services.

As data leaks have shown lately, people continue to use easy-to-guess passwords such as “123456” or “password” for their accounts, despite repeated warnings that this practice is incredibly risky. In March, security firm Rapid7 published the results of a year-long study and revealed that “x,” “Zz” and “[email protected]” are also highly preferred passwords.

Recently, a hacker offered to sell 167 million LinkedIn accounts, including 117 accounts with passwords, for only around $2,200 (5 bitcoins). The data, stolen in 2012, shows that “123456” was the most used password, occurring 753,305 times, which would be four times more than the next most common password, “linkedin,” at 172,523 occurrences.

Although the passwords were hashed, LinkedIn wasn’t salting them, meaning that many could be easily cracked, especially if they are weak passwords. Last month, 7 million Minecraft community “Lifeboat” accounts were impacted by a data leak that included weakly hashed passwords.

Accounts that leak on the dark web are accessed hundreds of times, a report from Bitglass revealed earlier this year, while the price of hiring a hacker to compromise an account with a popular email or social media service costs as little as $129, Dell SecureWorks found. 

To make sure that its users rely on unique, difficult to guess passwords, Microsoft says it is dynamically banning common passwords from Microsoft Account and Azure AD system. The company analyzes data breaches looking for the passwords that are used most often and prevents users from having a password that is found on attack lists (cybercriminals use passwords from these leaks to brute-force accounts).

Advertisement. Scroll to continue reading.

In a blog post, Alex Weinert, Group Program Manager of Azure AD Identity Protection team, explains that Microsoft is seeing more than 10 million accounts being attacked each day, and that this data is used to dynamically update the list of banned passwords. This list is then used to prevent people from choosing a common or similar password. Available in Microsoft Account Service now, the feature will roll out to all Azure AD tenants in the next month.

In addition to banning commonly used passwords to improve user account safety, Microsoft has implemented a feature called smart password lockout, meant to add an extra level of protection when an account is attacked. Basically, the feature was designed to lock bad guys out of an account when they attempt to guess the password, even when they do so from the account owner’s PC or network.

“Of course, you already know that when our security system detects a bad guy trying to guess your password online, we will lock out the account. What you probably don’t know is that we do lots of work to make sure that they only lock themselves out! Our systems are designed for determining the risk associated with a specific login session. Using this, we can apply lockout semantics only to the folks who aren’t you,” Weinert explains.

In a recently published paper (PDF) called Microsoft Password Guidance, Robyn Hicock, Microsoft Identity Protection Team, provides a series of recommendations for password management, which include eliminating vulnerable passwords from the system, user education, and the use of multi-factor authentication, along with risk based multi-factor authentication challenges. Published mainly for users of Microsoft’s identity platforms (Azure Active Directory, Active Directory, and Microsoft accounts), the paper is certainly useful on any other platform.

The LinkedIn data breach is currently ranked as the largest in terms of affected accounts on the Have I Been Pwned service. The list shows the Adobe breach in the second position, with 152 million records exposed, followed by the Ashley Madison incident, which resulted in over 30 million accounts being compromised.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.