Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Microsoft May Ban Your Favorite Password

Microsoft Banning Commonly Used Passwords and Adding Account Lockout Feature

Weak and commonly-used passwords are one of the main reasons online accounts can be easily compromised, but Microsoft is taking a step to better protect users by banning the use of such passwords across its services.

Microsoft Banning Commonly Used Passwords and Adding Account Lockout Feature

Weak and commonly-used passwords are one of the main reasons online accounts can be easily compromised, but Microsoft is taking a step to better protect users by banning the use of such passwords across its services.

As data leaks have shown lately, people continue to use easy-to-guess passwords such as “123456” or “password” for their accounts, despite repeated warnings that this practice is incredibly risky. In March, security firm Rapid7 published the results of a year-long study and revealed that “x,” “Zz” and “St@rt123” are also highly preferred passwords.

Recently, a hacker offered to sell 167 million LinkedIn accounts, including 117 accounts with passwords, for only around $2,200 (5 bitcoins). The data, stolen in 2012, shows that “123456” was the most used password, occurring 753,305 times, which would be four times more than the next most common password, “linkedin,” at 172,523 occurrences.

Although the passwords were hashed, LinkedIn wasn’t salting them, meaning that many could be easily cracked, especially if they are weak passwords. Last month, 7 million Minecraft community “Lifeboat” accounts were impacted by a data leak that included weakly hashed passwords.

Accounts that leak on the dark web are accessed hundreds of times, a report from Bitglass revealed earlier this year, while the price of hiring a hacker to compromise an account with a popular email or social media service costs as little as $129, Dell SecureWorks found. 

To make sure that its users rely on unique, difficult to guess passwords, Microsoft says it is dynamically banning common passwords from Microsoft Account and Azure AD system. The company analyzes data breaches looking for the passwords that are used most often and prevents users from having a password that is found on attack lists (cybercriminals use passwords from these leaks to brute-force accounts).

In a blog post, Alex Weinert, Group Program Manager of Azure AD Identity Protection team, explains that Microsoft is seeing more than 10 million accounts being attacked each day, and that this data is used to dynamically update the list of banned passwords. This list is then used to prevent people from choosing a common or similar password. Available in Microsoft Account Service now, the feature will roll out to all Azure AD tenants in the next month.

Advertisement. Scroll to continue reading.

In addition to banning commonly used passwords to improve user account safety, Microsoft has implemented a feature called smart password lockout, meant to add an extra level of protection when an account is attacked. Basically, the feature was designed to lock bad guys out of an account when they attempt to guess the password, even when they do so from the account owner’s PC or network.

“Of course, you already know that when our security system detects a bad guy trying to guess your password online, we will lock out the account. What you probably don’t know is that we do lots of work to make sure that they only lock themselves out! Our systems are designed for determining the risk associated with a specific login session. Using this, we can apply lockout semantics only to the folks who aren’t you,” Weinert explains.

In a recently published paper (PDF) called Microsoft Password Guidance, Robyn Hicock, Microsoft Identity Protection Team, provides a series of recommendations for password management, which include eliminating vulnerable passwords from the system, user education, and the use of multi-factor authentication, along with risk based multi-factor authentication challenges. Published mainly for users of Microsoft’s identity platforms (Azure Active Directory, Active Directory, and Microsoft accounts), the paper is certainly useful on any other platform.

The LinkedIn data breach is currently ranked as the largest in terms of affected accounts on the Have I Been Pwned service. The list shows the Adobe breach in the second position, with 152 million records exposed, followed by the Ashley Madison incident, which resulted in over 30 million accounts being compromised.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.