Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft May Ban Your Favorite Password (securityweek.com)

Posted by BeauHD on from the 123456 dept.

wiredmikey writes from a report via SecurityWeek.Com: Microsoft is taking a step to better protect users by banning the use of weak and commonly-used passwords across its services. Microsoft has announced that it is dynamically banning common passwords from Microsoft Account and Azure Active Directory (AD) system. In addition to banning commonly used passwords to improve user account safety, Microsoft has implemented a feature called smart password lockout, meant to add an extra level of protection when an account is attacked. [Alex Weinert, Group Program Manager of Azure AD Identity Protection team explains in a blog post that] Microsoft is seeing more than 10 million accounts being attacked each day, and that this data is used to dynamically update the list of banned passwords. This list is then used to prevent people from choosing a common or similar password. Microsoft's new feature comes after last week's leak of 117 million LinkedIn credentials.

7 of 232 comments (clear)

  1. The more password rules you make... by Ecuador · · Score: 4, Informative

    While not allowing "common" passwords is not the worse idea, in general the more password rules you make, the worse passwords you'll get. In the end people end up writing them on post-it notes...
    Doesn't Microsoft own Skype? Cause I was trying to make a Skype account a couple of years ago and tried first concatenating three weird Greek words transliterated to latin. I don't remember which words exactly, in any case, the password was rejected as too weak. Yeah, try cracking something like "poliefkoloskodikos" (aka "veryeasypassword"). It rejected a couple of others as well (it did not give you a specific reason - perhaps it would if I was on a desktop) and in the fourth try accepted something as simple as "river1". How is this kind of policy helped by banning e.g. "password1", that is not the problem.
    Oh, my "favorite" password rules are the ones that reduce the search space for potential hackers.
    For example, I have one bank account that requires the password to start with a number. I have network security camera that doesn't accept over 8 characters and the list goes on...

    --
    Violence is the last refuge of the incompetent. Polar Scope Align for iOS
  2. What could possibly go wrong... by green1 · · Score: 4, Informative

    "Microsoft has implemented a feature called smart password lockout, meant to add an extra level of protection when an account is attacked"
    I've already fallen victim to this one. I had an @live.com email address that I used for things that were guaranteed to spam me. Things that needed a one time authentication and such. Unfortunately I made a typo once while trying to access the account. One typo, on one attempt. I've now been permanently locked out of the account.
    They said they just need to verify that it's me, but there's no possible way to do so. They say I can give them a phone number to verify it, but they don't have my phone number on file in the first place. The next option was their account recovery tool, but it requires you tell them who you have sent mail to from the account, as I've only ever received mail in this account, and never sent anything out, I can't do that. I submitted the form anyway, but they tell me that they can't verify that I'm me so they won't unlock the account.

    Mostly I can just create another throw away account, but unfortunately another service took this opportunity to try to "re-verify" me by sending an email to this now locked out account, and because I can't get that email, I'm also locked out of the other service.

    Of course I should have known better, what idiot uses Microsoft for ANYTHING????

    1. Re:What could possibly go wrong... by Deathlizard · · Score: 3, Informative

      Microsoft (or Google for that matter, just not as bad) doesn't play games with their account credentials anymore. You have to have an out of network way to verify your account or you're going to lose it. Either through a Phone number or another Email address, and dammit make sure its up to date.

      Also the two factor app that MS has for android is one of the best I've used when it comes to ease of use and how it's implemented. it's pretty much make sure the code on the PC matches the code in the authentication window and click approve on the phone if it does. No typing verification numbers like most authenticators. so it's a good idea to use that too since it will let you in if all else fails.

      This account protection of course makes it a pain with windows 8 or 10 users that use MS accounts for credentials. Half of the time they use stupid pins for their passwords and forget their real password, and MS doesn't like that sort of thing to adjust account settings. Especially if you got to refresh the PC. Just about once a week I have a conversation that goes something like

      (Me) Whats your password for your PC?
      (grandma) It's 1111
      (Me) No that's your pin. I need the password
      (grandma) but it lets me in the computer so that's my password
      (Me) (Three minute explanation of the difference between a pin and a password)
      (grandma) oh... well, I don't know it cause my grandson set it up. (or its in my password book buried at my desk) can you reset it?

      Then you find out that their recovery creds were an old Email and phone number from a DSL/Phone provider they no longer have and have to go through the account verify process of shame that the Parent post went through, which never seems to work until you submit it 3 or more times regardless of how much info you put in the thing.

      --
      In Soviet Russia, Trojan exploits YOU!
  3. Re:If by ShanghaiBill · · Score: 3, Informative

    If you ban common passwords. Then you end up with a new set of common passwords.

    Is there any evidence that the above assertion is true?

    No. The system is dynamic. It does not use a fixed set of "common passwords", but instead adds passwords that are used in cracking attempts. If a cracker thinks it is common enough to try, then it likely is not a good password to use. Over time, the list will grow, but it is unlikely we will run out of possible passwords. If the passwords are 32 bytes long, and each can hold 100 different values, then that is 10^64 possible passwords, which is roughly ten billion times the number of atoms in the sun.

  4. Re:Rogue pathc to circumvent this in..... by Anonymous Coward · · Score: 2, Informative

    This will be instantly patched around with either a registry edit or a binary rogue patch available for download.

    This is a Microsoft Account / Azure Active Directory, not a local Windows machine user account. Since they're cloud-based services, a local patch won't work.

  5. Re:If by bondsbw · · Score: 3, Informative

    This only affects Microsoft Accounts and Azure AD, not local Windows accounts.

    --
    All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
  6. Re:If by JustAnotherOldGuy · · Score: 4, Informative

    I don't want your account with a weak password to get pwned and send me spam or phishing emails.

    Neither do I, but does that mean that MS should be able to force me to use one that they consider "strong"?

    Most accounts aren't cracked by password guessing, most are pwned by malware and keyloggers. You do know that, don't you?

    --
    Just cruising through this digital world at 33 1/3 rpm...