Slashdot Mirror
Microsoft May Ban Your Favorite Password (securityweek.com)
wiredmikey writes from a report via SecurityWeek.Com: Microsoft is taking a step to better protect users by banning the use of weak and commonly-used passwords across its services. Microsoft has announced that it is dynamically banning common passwords from Microsoft Account and Azure Active Directory (AD) system. In addition to banning commonly used passwords to improve user account safety, Microsoft has implemented a feature called smart password lockout, meant to add an extra level of protection when an account is attacked. [Alex Weinert, Group Program Manager of Azure AD Identity Protection team explains in a blog post that] Microsoft is seeing more than 10 million accounts being attacked each day, and that this data is used to dynamically update the list of banned passwords. This list is then used to prevent people from choosing a common or similar password. Microsoft's new feature comes after last week's leak of 117 million LinkedIn credentials.
If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?
Is it good or bad that I can read that?
This will be instantly patched around with either a registry edit or a binary rogue patch available for download.
Microsoft, you cant force people to use their brain.
Do not look at laser with remaining good eye.
"Microsoft May Ban Your Favorite Password"
You can't ban what you don't have!
MicrosoftSucksDonkeyWang.
While not allowing "common" passwords is not the worse idea, in general the more password rules you make, the worse passwords you'll get. In the end people end up writing them on post-it notes...
Doesn't Microsoft own Skype? Cause I was trying to make a Skype account a couple of years ago and tried first concatenating three weird Greek words transliterated to latin. I don't remember which words exactly, in any case, the password was rejected as too weak. Yeah, try cracking something like "poliefkoloskodikos" (aka "veryeasypassword"). It rejected a couple of others as well (it did not give you a specific reason - perhaps it would if I was on a desktop) and in the fourth try accepted something as simple as "river1". How is this kind of policy helped by banning e.g. "password1", that is not the problem.
Oh, my "favorite" password rules are the ones that reduce the search space for potential hackers.
For example, I have one bank account that requires the password to start with a number. I have network security camera that doesn't accept over 8 characters and the list goes on...
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
In all of my services I have been doing that for years, having a table of 'bad_passwords' and not allowing people from using them. People should be using sentences anyway.
You can't handle the truth.
That's the only password I can remember
This is why we have Post It Notes stuck all over our screen.
whoa, you have the same password as that new girl in admin.
stickyfingers? Really?
Did you just give me your birthday?
THAT is your new password??
How original. If I had a nickel for every person that picked that password, we would so own Facebook.
that they are going to ban agb12!!Htx7362bad.
Oh crap.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
With Microsoft doing their best to get people to use Microsoft Accounts on their Windows installs, that means people will soon be required to get approval from Redmond for the password they use to get into their own in PC in their own home.
No ever-lengthening lists of bad passwords and no infernal fiddly rules about specific numbers of capitals and numbers and symbols, but a simple threshold of overall password strength according to one of the widely-accepted metering systems. Such a filter would automatically accept the random strings created by password manager applications, which would lead to more people using such programs to create good passwords.
This is a first. Someone on Slashdot making an argument for weak passwords.
Only the State obtains its revenue by coercion. - Murray Rothbard
"Microsoft has implemented a feature called smart password lockout, meant to add an extra level of protection when an account is attacked"
I've already fallen victim to this one. I had an @live.com email address that I used for things that were guaranteed to spam me. Things that needed a one time authentication and such. Unfortunately I made a typo once while trying to access the account. One typo, on one attempt. I've now been permanently locked out of the account.
They said they just need to verify that it's me, but there's no possible way to do so. They say I can give them a phone number to verify it, but they don't have my phone number on file in the first place. The next option was their account recovery tool, but it requires you tell them who you have sent mail to from the account, as I've only ever received mail in this account, and never sent anything out, I can't do that. I submitted the form anyway, but they tell me that they can't verify that I'm me so they won't unlock the account.
Mostly I can just create another throw away account, but unfortunately another service took this opportunity to try to "re-verify" me by sending an email to this now locked out account, and because I can't get that email, I'm also locked out of the other service.
Of course I should have known better, what idiot uses Microsoft for ANYTHING????
Passwordy McPasswordface-gate.
*Favourite
Your new password is not accepted. Please install Windows 10 and try a new password.
Don't worry, in a few years they'll ban passwords entirely and require retina scans to unlock your PC. These retina scans will be required to be tied to a single Microsoft Account, naturally, so they'll be able to track you across devices. Oh, and since the webcams doing the retina scans will also include eye tracking, Windows 10 won't just know every about every file and web page on your PC; it will also send back to Microsoft a detailed report of exactly where and for how long you gazed at everything that displays on your monitor. Didn't spend enough time looking at ads this month? That's ok. Microsoft will make sure to stuff even more into your start menu in the next patch while lowering the cap on the number of useful programs you can pin to the start menu. ...And now I can't tell if I'm joking, being prescient, or giving Nadella ideas. It's fortunate for me that I use Linux.
This rule is for Azure. Since Microsoft needs to maintain a reasonable reputation for their customer service being flexible, they will often refund fraudulent use of their service which costs them money.
PS: Don't try to argue that Microsoft doesn't have reasonable customer service, I can name many other companies with horrible CS, and many sob stories from companies like Amazon who are rated as having excellent CS.
I was wondering why "fuckmicrosoft1" stopped working.
Table-ized A.I.
That's fine, Microsoft.
But what about my luggage?
Beware of the Leopard.
they don't have my phone number on file in the first place.
this is your failure, not theirs
as I've only ever received mail in this account, and never sent anything out, I can't do that.
maybe in the future you might try reading the EULA, and realizing that literally two seconds of work on your part would have covered that base
no sympathy for the idiot
I understand why Microsoft is doing this, but I just don't see this ending well for them. I would set temp passwords for new hires to things like $$Znxa1543 and they would almost murder me. The users would complain, the managers would complain, everyone would just complain that the passwords were too hard. For some reason some users just can't remember anything more complex than something like "May-2016" or some such like that. All Microsoft is going to do is force these people to set passwords they will never remember and wind up with millions of locked accounts and millions of unhappy people.
My question to the ./ community is: why don't we enforce diversity OF passwords rather than IN passwords?
Rather than forcing passwords to follow specific rules that potentially reduce the total possible passwords, should we have a rule that requires you to create a "least common" password? If my education and experience serve me right, then most passwords are contained in databases as hashes (this excludes complicated hashing schemes).
My thought process says that it doesn't matter what your password actually is, but rather how many people have also chosen that password. If I select a password on, say, http://www.telegraph.co.uk/technology/2016/01/26/most-common-passwords-revealed---and-theyre-ridiculously-easy-to/, then I would have every expectation of my account being compromised. However, if there is no such thing as a common password, then the odds of guessing or successfully brute forcing drops as well.
We are all just zealots and haters because we don't want a company to dictate exactly what we can and can't do? No wonder you post anonymously, I would not back such a stupid thought process with my name either.
Nerds started to dislike Microsoft when they forced a registry down everyone's throats removing our ability to tinker. We hated being force to use GUI apps for simple tasks which we should have been able to script. See the common theme? If not, I hope your masters pay you well.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Microsoft bans your favorite passwords, microsoft forces you to update to v 10 even though you said "fuck off", MS does this, MS does that. For chrissake, use something else, another OS!
Slashdot, fix the reply notifications... You won't get away with it...
If Microsoft really was interested in my account security they would ban any account access from Eastern Europe. I have no plans to ever travel to Eastern Europe while logs show that almost all the hacking attempts to my accounts are coming from Eastern Europe.
If Netflix can do it, why can't Microsoft and LinkedIn?
A little presentation how should people use passwords:
https://sites.google.com/site/...
I'll take the crypt() output of my favorite password and use that instead. papAq5PwY/QQM
“Common sense is not so common.” — Voltaire
Preventing someone to use weak passwords is quite easy. You just have to put in place a policy for when the user enters the password.
The question is how do they know ?? If Microsoft would follow very basic security rules (PCI/DSS), they would not keep any copy of the original password, but only a secured hash of it. They would then have no possibility to know afterwards if a password was originally weak or not !!
This only highlights that Microsoft (as expected) has the worst security practices ever... You have to definitely turn yourself to OSes considering security as first class citizen instead of keep using a system aimed at game consoles...
1. Brute force and filter all values found in all the password db's you can get your filthy hands on.
2. ???
3. Profit!
Microsoft leads the world in insecure software, so on the 20th anniversary of Windows 95 it's good they're working to help.
On the other hand any time you decrease keyspace by creating arbitrary rules ("Must contain this", "must contain that")
you constrain an otherwise limitless keyspace and make it easier to guess.
I want to wish them well... because it appears they are well-intentioned. Sadly, they are still incompetent.
Want to make stronger passwords? Don't REQUIRE people to use specific parts of the keyspace.
Want to make stronger systems? Don't make your Win95/Win98/WinME/Win2K/WinXP/Vista/7/10 compatible with DOS so people can pwn your users.
Really, how different is this to linux's pam_cracklib.so policies when you change your password on those systems that have this module enabled?
In general people don't like to have to remember passwords and especially many different complex ones. Passwords for most people are chosen purely on the basis of how easy they are to remember. I do not think this will change just because Microsoft decides certain ones are off limits. Yea maybe eliminate 12345, password, secret. But beyond that the priority is to make it easy to remember. Not less easy to guess.
Is it true? Why would they ban, there are lots of common passwords people use, is there any notification or official announcement?
Every day a cunt story about that shit company. Multi-cunt-stories. If you say Bill Gates took a big fat shit and write a story you are advertising for Microsoft.
Microsoft default password: buyice
https://tech.slashdot.org/story/16/05/25/1812233/microsoft-backtracks-on-nasty-trick-upgrade-to-windows-10
https://tech.slashdot.org/comments.pl?sid=9154205&cid=52183421
http://www.tenforums.com/tutorials/22322-upgrade-windows-10-update-enable-disable-windows-7-8-1-a.html
https://www.grc.com/never10.htm
Little kids are being tricked into closing a box and updating their "7's" etc to 10 which is Global Mother Fucking Spyware. Do you see any government agencies saying HEY DICKS WHAT THE FUCK IS WRONG WITH YOU? No. You see Hey dicks we will split Microsoft into two companies then shit goes quiet.
80 + Billion $ from a 1993 filesystem piece of monolithic shit filesystem registry-havin-ass OS and you still can't afford the Truth Bill. Die in a tank top.
Not even mad. distrowatch.com
"Your password is weak, because 3 Million Users are already using it"
Cool, i found a common one! Lets try to use it on billgates@hotmail.com! Gotcha!
A whole new way to update your wordlists.
...that my favorite password is "Micro$oftSux"?
So I can't use FuckMicrosoft123! anymore?
Seriously, why is nobody doing this already!? Stop morons from using 123456789 as a password, make everything safer.
Microsoft is taking a step to better protect users by banning the use of weak and commonly-used passwords across its services.
Please enter your 4 digit pin in order to login to your computer, you know, where all your personal information is stored?
Have you ever fallen asleep at the keybhanusdiog?
> Enter password
"fuckmicrosoft"
> Needs a number
"fuckmicrosoft99times"
> Needs a special character
"fuckmicrosoft99timesinthea$$"
> Needs a capital letter
"fuckmicrosoft99timesinthea$$Hole"
> Password is too long
"fuckmicrosoft99timesinAnu$"
> Password has been banned as too common
so maybe Netcraft is dying and slashdot is confirming it?
You don't need to use a password you share with Microsoft for your OS or phone. Choose the local password of your choice and only log onto your Microsoft account when necessary.
The same is true for Google. Chrome likes to throw up a login page to your Google account frequently, but you can just skip doing so. It's good practice to frequently check to see if you have the opportunity to "log out" in the upper right corner of any browser you are using.
Do it now after reading this comment.
After banning common usernames, now they ban passwords....
https://support.microsoft.com/...
aaaaaaa
Wait until their installed software require those unremembered and unretrivable accounts to confirm their licences and they have to buy new software.
Apocalypse Cancelled, Sorry, No Ticket Refunds
You can honestly not think of any reason why a strong password is not always required?
Once the password gets too complex, I believe people become more likely to (1) write it down and (2) use the same strong password for everything. Those may or may not be more of a problem than a weak password, depending on your attack profiles. Certainly they are less of a problem than the ten most common passwords.
Two-factor authentication helps. Text message verification helps. IP-based verification helps. Security questions help. It's about reducing the possibility of compromise. You can't actually prevent all compromise, although physical tokens like synchronized pre-seeded RNG generators not connected to the net aren't terrible at it, for example.
Real lawyers write in C++
Then it is not secure. A test for dual entry is bad enough as confirming what entered is same, meanwhile bricked iPhones whose user entered the wrong and unknown password twice.
userid: U
password: asswordp
So if they ban common passwords, then they are both:
reading my passwords
storing my password, along with some kind of counter, to work out the most common passwords.
Otherwise they are only banning PRESUMED common passwords
If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?
Why not? It would be within the company's capacity to maintain a dictionary of hashes (not the actual passwords) from where to determine the most common passwords at any given time. Then you ban them. It is a moving target.
For example, think about a Windows group policy that does not let you reuse a password. This is a perfectly reasonable strategy. That is possible for members of a domain, but prohibitive for a global audience. So an extension to the idea is to look for indications that your password is among the most common ones and ban it.
This could imply that what is not banned today can be banned tomorrow, and that what is banned today might not be in the future. This notion could be relaxed by enforcing the ban only on new passwords. If your current password happens to become a common one in the future, you still keep it, but any new password from another principal matching yours would get banned.
I don't see what the fundamental, fatal problem is here. Like all strategies, it has its pros and cons.
I don't want your account with a weak password to get pwned and send me spam or phishing emails.
Neither do I, but does that mean that MS should be able to force me to use one that they consider "strong"?
Most accounts aren't cracked by password guessing, most are pwned by malware and keyloggers. You do know that, don't you?
Is their system, so they can set the rules. If we don't like them, we can go somewhere else. The same applies to gmail or yahoo or whatever. Applying "should" to the question is pretty much threading into "is/ought problem" land.
Strong passwords are great. However I've had some systems and Solaris was one of them where the setup checking for bad passwords was way to strong. Anything I typed in it said had a word in it. Even if it was the first 20 chars of a MD5 hash. Really sucks when you spend about 30 minutes coming up with something it'll take. Sometimes I simply did a real password on a Linux machine and then pasted the hash into the Solaris box defeating them. So there.
This could become the same situation. You'll have to write it down.