Microsoft May Ban Your Favorite Password (securityweek.com)

← Back to Stories (view on slashdot.org)

Microsoft May Ban Your Favorite Password (securityweek.com)

Posted by BeauHD on Wednesday May 25, 2016 @01:25PM from the 123456 dept.

wiredmikey writes from a report via SecurityWeek.Com: Microsoft is taking a step to better protect users by banning the use of weak and commonly-used passwords across its services. Microsoft has announced that it is dynamically banning common passwords from Microsoft Account and Azure Active Directory (AD) system. In addition to banning commonly used passwords to improve user account safety, Microsoft has implemented a feature called smart password lockout, meant to add an extra level of protection when an account is attacked. [Alex Weinert, Group Program Manager of Azure AD Identity Protection team explains in a blog post that] Microsoft is seeing more than 10 million accounts being attacked each day, and that this data is used to dynamically update the list of banned passwords. This list is then used to prevent people from choosing a common or similar password. Microsoft's new feature comes after last week's leak of 117 million LinkedIn credentials.

139 of 232 comments (clear)

Min score:

Reason:

Sort:

If by liqu1d · 2016-05-25 13:27 · Score: 5, Insightful

If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?
1. Re:If by burtosis · 2016-05-25 13:31 · Score: 5, Funny
  
  If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?
  Absolutely! In no time flat this Microsoft problem should fix itself.
2. Re:If by JustAnotherOldGuy · 2016-05-25 13:37 · Score: 3, Interesting
  
  Obviously Microsoft knows what's best for us, regardless of what we want.
  Maybe I *want* to use a weak password, what business is it of theirs to tell me I can't? If they want to warn me that I have a weak password, fine. But to prevent me from using it? That's just bullshit.
  Microsoft is continually tightening it's grip on its customers freedom to do what they want, so I guess this really shouldn't come as a surprise.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
3. Re:If by Jeremi · 2016-05-25 13:41 · Score: 3, Interesting
  
  If you ban common passwords. Then you end up with a new set of common passwords.
  Is there any evidence that the above assertion is true?
  
  --
  
  I don't care if it's 90,000 hectares. That lake was not my doing.
4. Re: If by liqu1d · 2016-05-25 13:42 · Score: 1
  
  I also like the use of a "smart password lockout" I mean 3 incorrect attempts and you're locked out is just dumb...
5. Re:If by Anonymous Coward · 2016-05-25 13:47 · Score: 5, Insightful
  
  lol. The MS hate is so strong on slashdot that people hate even moves that SHOULD make nerds happy.
  What's wrong with you all ? We constantly talk about how weak passwords are stupid.
  Pull your head out of your zealot ass.
6. Re:If by PhunkySchtuff · 2016-05-25 14:02 · Score: 4, Insightful
  
  I don't want your account with a weak password to get pwned and send me spam or phishing emails.
  
  --
  Specialist Mac support for creative pros, Melbourne
7. Re:If by Anonymous Coward · 2016-05-25 14:06 · Score: 3, Insightful
  
  Oh come on, this isn't a bad thing. If Ubuntu refused to let you use 123456 as a root password, everyone on Slashdot would say "of course". If Microsoft does it, they're idiot facists who don't understand anything. Slashdot is sometimes just an embarrassment.
8. Re:If by Anonymous Coward · 2016-05-25 14:27 · Score: 1, Insightful
  
  Obviously Microsoft knows what's best for us, regardless of what we want.
  Maybe I *want* to use a weak password, what business is it of theirs to tell me I can't? If they want to warn me that I have a weak password, fine. But to prevent me from using it? That's just bullshit.
  Microsoft is continually tightening it's grip on its customers freedom to do what they want, so I guess this really shouldn't come as a surprise.
  You can have password you want.
  You just can't use it with their system. You wanna know why? It's THEIR system.
  You can do any fucking thing you want to do, but you just can't do it with other people's shit if they don't want you to.
9. Re:If by Your.Master · 2016-05-25 14:30 · Score: 4, Insightful
  
  Obviously Microsoft knows what's best for us, regardless of what we want.
  In this case, literally yes, they do.
  
  Maybe I *want* to use a weak password
  And maybe you want to jump into the swimming pool wearing full platemail armour but the lifeguard doesn't have to let you, and in fact should not let you.
  
  what business is it of theirs to tell me I can't?
  It's literally their business.
10. Re:If by s.petry · 2016-05-25 14:38 · Score: 2, Insightful
  
  Haha, that was funneh!
  On point however, how many people don't care about how secure their passwords for Windows systems are? I have systems I could care less about, because they are either fully blocked by a FW or air-gapped. I don't trust Windows at all, so use a weak password when it fits me.
  MS - attempting to chase all remaining customers away I guess.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
11. Re:If by ShanghaiBill · 2016-05-25 14:38 · Score: 3, Informative
  
  If you ban common passwords. Then you end up with a new set of common passwords.
  Is there any evidence that the above assertion is true?
  No. The system is dynamic. It does not use a fixed set of "common passwords", but instead adds passwords that are used in cracking attempts. If a cracker thinks it is common enough to try, then it likely is not a good password to use. Over time, the list will grow, but it is unlikely we will run out of possible passwords. If the passwords are 32 bytes long, and each can hold 100 different values, then that is 10^64 possible passwords, which is roughly ten billion times the number of atoms in the sun.
12. Re:If by CyberNigma · 2016-05-25 14:39 · Score: 1
  
  Microsoft believes they know what's best for their services and/or products. Whether that is true or not is moot. You the freedom of using different services/products. Who are you to tell them what they can and can't do with their products and/or services? Speak with your money if you disagree with it.
13. Re:If by U2xhc2hkb3QgU3Vja3M · 2016-05-25 14:42 · Score: 1
  
  123456? Damn. That's 20% better than my password.
14. Re:If by bondsbw · 2016-05-25 14:51 · Score: 3, Informative
  
  This only affects Microsoft Accounts and Azure AD, not local Windows accounts.
  
  --
  All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
15. Re:If by Darinbob · 2016-05-25 14:58 · Score: 3, Interesting
  
  You can honestly not think of any reason why a strong password is not always required? I can think of reasons why jumping into a pool while wearing full platemail might be necessary (it's scene 23 in my movie script). I don't even have a password on my home computer, but then again no one breaking in remotely is going to be blocked by a Windows login screen either. They can break in locally of course but if that happens I have more serious matters to deal with than that they'll be able to look at some photos before wiping the drive and reselling it.
16. Re:If by chr1st1anSoldier · 2016-05-25 15:08 · Score: 2
  
  Lot's of Microsoft online stuff ties into Azure AD, like Office 365 for example. And, I sync my office local AD directory to Azure AD for our O365 so I'm kind of curious how this will effect synced AD databases.
17. Re:If by Anonymous Coward · 2016-05-25 15:24 · Score: 1
  
  lol. The MS hate is so strong on slashdot that people hate even moves that SHOULD make nerds happy.
  What's wrong with you all ? We constantly talk about how weak passwords are stupid.
  Pull your head out of your zealot ass.
  You're the stupid one for thinking that everyone on Slashdot agrees with each other. You can get off your high horse now.
18. Re: If by Tanktalus · 2016-05-25 15:37 · Score: 1
  
  You only think you haven't been hacked.
  I'll give you a hint. "Hell0Kitty" is not a good enough password.
19. Re:If by MobileTatsu-NJG · 2016-05-25 15:55 · Score: 3, Insightful
  
  Oh come on, this isn't a bad thing. If Ubuntu refused to let you use 123456 as a root password, everyone on Slashdot would say "of course". If Microsoft does it, they're idiot facists who don't understand anything. Slashdot is sometimes just an embarrassment.
  This comment should not have been modded down. Slashdotters don't even try to pretend anymore that they don't just react as if everything MS does is wrong by default, even when they compromise their own principals in the process. Hell, just a couple of days ago people were modded up for saying MS shouldn't Open Source VB. . Uh huh.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
20. Re:If by mysidia · 2016-05-25 16:01 · Score: 2
  
  If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?
  I vote for recording a Fletcher-32 and CRC32 checksum of every password that a user creates, and if 3 or more accounts in the entire system attempt to create a password that has the same Fletcher-32 and CRC32 checksum, Then (1) The password will be rejected and banned, And (2) The other accounts with the same F32 and CRC32 will be locked into a state where they will be forced to change password upon next login.
  Also, they should give system administrators with On-Premise Active Directory installations an option to participate in the same system.
  Also, when users are originally creating a password: Microsoft should submit the password to the PASSFAULT algorithm, And if Time to Crack shows as less than 1 Month, the requested password should be rejected, and the hash added to the banned list.
21. Re:If by Anonymous Coward · 2016-05-25 16:05 · Score: 1
  
  What glaring holes? IIS has probably been the most secure webserver for the last several years, certainly better than Apache Security. Windows is decent, though arguably could be better, certainly nothing glaringly obvious though.
22. Re:If by Ol+Olsoc · 2016-05-25 16:11 · Score: 2
  
  If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?
  Tht keylogger in Windows 10 is going to be a big help. What a great company.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
23. Re:If by Ol+Olsoc · 2016-05-25 16:12 · Score: 3, Insightful
  
  This only affects Microsoft Accounts and Azure AD, not local Windows accounts.
  So far.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
24. Re:If by JustAnotherOldGuy · 2016-05-25 16:15 · Score: 4, Informative
  
  I don't want your account with a weak password to get pwned and send me spam or phishing emails.
  Neither do I, but does that mean that MS should be able to force me to use one that they consider "strong"?
  Most accounts aren't cracked by password guessing, most are pwned by malware and keyloggers. You do know that, don't you?
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
25. Re:If by Ol+Olsoc · 2016-05-25 16:24 · Score: 1
  
  If you ban common passwords. Then you end up with a new set of common passwords.
  Is there any evidence that the above assertion is true?
  Hackers will probably figure out which passwords not to try.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
26. Re:If by Mashiki · 2016-05-25 19:48 · Score: 1
  
  Best way around it is 2-factor auth. Hell my bank didn't allow me to have passwords longer then 6 characters up until a year or two ago(it's now 13 characters) and it's one of the largest in Canada.
  
  --
  Om, nomnomnom...
27. Re:If by brantondaveperson · 2016-05-25 20:25 · Score: 1
  
  It's hard to imagine a more user-unfriendly policy.
28. Re:If by pr100 · 2016-05-25 22:23 · Score: 2
  
  If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?
  It doesn't follow. Common passwords are based on words in common use or things like calendar dates. If you disallow those, then it's reasonable to expect that the passwords will have a lot more variety.
29. Re:If by onyxruby · 2016-05-25 23:20 · Score: 2
  
  Depends, is it your personal account that isn't related to any organization? Then the least of risk is your account being used for spam. That's your best case scenario.
  Quite often personal email accounts are tied as the password recovery to access secondary systems like banking passwords? Would you like your forgotten bank account password reset and a new one emailed to you? If you're lazy enough to use a common password chances are you reused that same password on other systems you have access to.
  If it's your work account now I have access to a trusted account that can be used for fraud. Perhaps you work with sensitive data, or data that can be readily taken out of context? Perhaps your access can be used to embarrass your organization? It can also be used to identify spear fishing opportunities. It can be exploited to help gain access into your organization's network.
  These aren't hypotheticals, these situations occur every single day. They are a leading cause of data breaches, and the same damn Pa$$w0rd set keeps showing up year after year. Frankly the only surprising thing will be if other major organizations don't follow by also banning very weak passwords.
  Some reading on why this matters: http://www.verizonenterprise.c...
30. Re:If by dfghjk · 2016-05-25 23:35 · Score: 1
  
  "...but does that mean that MS should be able to force me to use one that they consider "strong"?"
  Yes, of course it does, and your use of "they consider" demonstrates your bias here. Password strength is an objective measure.
  "... You do know that, don't you?"
  Don't pretend to be in possession of the facts here after your previous comments.
31. Re:If by AK+Marc · 2016-05-26 00:02 · Score: 1
  
  Then, when you get hacked, you'll take to the Internets to whine about how MS allowed you to have an insecure password that made you get hacked. I've seen it happen before.
  
  --
  Learn to love Alaska
32. Re:If by AmiMoJo · 2016-05-26 00:02 · Score: 2
  
  Neither do I, but does that mean that MS should be able to force me to use one that they consider "strong"?
  Yes, if you want to use their service. Just like the TOS say no using Azure to run DDOS attacks or host illegal material, they now say no weak passwords.
  
  Most accounts aren't cracked by password guessing, most are pwned by malware and keyloggers. You do know that, don't you?
  Wrong. Most accounts are cracked because the user used the same password somewhere else that was compromised and subsequently cracked. Then it's password resets because their email address was compromised. Keyloggers are way, way down the list.
  Much more hassle to deploy and operate, much easier to just grab the user database from some site and crack all the weak passwords in it, which will be re-used with the same email address everywhere.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
33. Re:If by Anonymous Coward · 2016-05-26 00:03 · Score: 1
  
  no they don't. passwords are checked on entry for strength, they are only stored as one0way salted hashes.
34. Re:If by AK+Marc · 2016-05-26 00:05 · Score: 2
  
  That's simply not true. If 50% of passwords are "password", and you ban "password" you will not have 50% of passwords be replaced with the same password. Banning the most common password will result in more diverse and unique passwords.
  
  --
  Learn to love Alaska
35. Re:If by AmiMoJo · 2016-05-26 00:13 · Score: 1
  
  You vastly over estimate the skill of the average computer thief. If you set a Windows password, they will try "password" and "letmein" and then give up and wipe it. They won't load up a cracking tool and some rainbow tables, or take the HDD out and manually access your files. They are dumb enough to go around stealing computers, do you really expect them to have those skills?
  While you might think that a password is not required for your particular contrived application, security works best in layers. In the past we have seen that often secure systems are compromised by some small seemingly unimportant part being left unprotected for convenience.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
36. Re:If by Anonymous Coward · 2016-05-26 00:18 · Score: 2, Insightful
  
  Coming to a security update! Your password is no longer valid. New password must contain 15 symbols and 8 uppercase and 7 lowercase letters, where no more than 5 uppercase and 4 lowercase may be in a row, and you also may not have upper and lowercase alternate through the password.
  Or upgrade to Windows 10*.
  *:--(until the update hits windows 10 next month)
37. Re:If by justthinkit · 2016-05-26 01:03 · Score: 1
  
  And, also for your protection, paste has been disabled.
  
  --
  I come here for the love
38. Re:If by budgenator · 2016-05-26 01:16 · Score: 4, Funny
  
  Don't worry, Windows 10 has an option to use a strong secure 4 digit PIN number instead of a weak 8 alpha-numeric characters consisting of upper, lower case letters, numbers and at least one special character! Microsoft has saved us from the horrors of passwords like P@$$W0rd and Qwerty1! and has lead us to the Brave New World, we hail our new overlords of 1234 and 7777! We'll all be saved by Samsonite's random number generator.
  
  --
  Apocalypse Cancelled, Sorry, No Ticket Refunds
39. Re:If by cjjjer · 2016-05-26 01:43 · Score: 1
  
  Blasphemy!! this is /. personal assumptions are the only real truth.
40. Re: If by budgenator · 2016-05-26 01:44 · Score: 1
  
  A decade or two ago my Boss bought the domain poiuyt.com It was absolutely amazing how many times a website's registration confirmation Emails came to poiuyt.com's default account with the password qwerty. I got access to a lot of porn that other people paid for too.
  
  --
  Apocalypse Cancelled, Sorry, No Ticket Refunds
41. Re:If by Curunir_wolf · 2016-05-26 02:00 · Score: 2
  
  This only affects Microsoft Accounts and Azure AD, not local Windows accounts.
  In Windows 10, for many people your Microsoft Account IS your local Windows account (it's the default). It's much easier for Microsoft to control your computer that way.
  
  --
  "Somebody has to do something. It's just incredibly pathetic it has to be us."
  --- Jerry Garcia
42. Re: If by budgenator · 2016-05-26 02:02 · Score: 2
  
  Yea, how about the fact that most sites still haven't figured out what makes a password 'strong'. They seem to think an 8 character password with special characters is stronger than a 32 character password without.
  Seems like a no-brainer,
  66 alphanumeric and special characters, 66^8 = 3.6004060627e+14;
  46 alphabetic characters, 46^32 = 1.61529040681e+53
  
  --
  Apocalypse Cancelled, Sorry, No Ticket Refunds
43. Re:If by Ol+Olsoc · 2016-05-26 02:24 · Score: 1
  
  no they don't. passwords are checked on entry for strength, they are only stored as one0way salted hashes.
  ;^) M'kay
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
44. Re:If by budgenator · 2016-05-26 02:28 · Score: 2
  
  Because the list is dynamic, then as a password gets banned for a while, it'll drop off the list because new common passwords will replace it; UID poiuyt, password Qwerty1! might become acceptable again one day!
  
  --
  Apocalypse Cancelled, Sorry, No Ticket Refunds
45. Re: If by Nocturna81 · 2016-05-26 02:30 · Score: 2
  
  Just leaving this here: https://xkcd.com/936/
46. Re: If by Ol+Olsoc · 2016-05-26 02:35 · Score: 1, Insightful
  
  Typical Slashdot, this bullshit gets modded Informative.
  Yeah - shoulda been modded insightful. I hate to use why not examples, but I'll dv8 from that here.
  What would be the rationale to not implement this in all Windows systems? They already have a keylogger, they already phone home to a multiplicity of locations that they don't allow you to host out, and they already thought it was a good idea to allow anyone that you allow on your home wireless to allow anyone in their social network to wirelessly log on to your router, even though you have no idea who they are.
  It's just a simple forced update on all Windows systems, and a normal no choice update on anything running Windows 10. Using their rather invasive paradigm at this time, you'd be a fool to bet against it.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
47. Re:If by The-Ixian · 2016-05-26 02:41 · Score: 1
  
  Oh, come on, ye of little imagination. Make a policy which requires 2 or more password changes a day (32 character minimum length), forcefully logs users out of their computers randomly and swaps mouse button functions around without warning.
  How's that for more user-unfriendly?
  
  --
  My eyes reflect the stars and a smile lights up my face.
48. Re:If by randm.ca · 2016-05-26 02:54 · Score: 1
  
  Somebody was worse than TD and their 8 character maximum?
  
  Assuming your 6 characters were alpha+numeric+symbols, then at least that's better than ING/Tangerine and their exactly-6-numbers PINs.
49. Re:If by jandrese · 2016-05-26 03:07 · Score: 1
  
  What's even better is that your big database of CRC32 hashed passwords will be an absolute treasure trove for the hackers that download your data.
  
  --
  
  I read the internet for the articles.
50. Re:If by JustAnotherOldGuy · 2016-05-26 03:20 · Score: 1
  
  Yes, if you want to use their service.
  
  Oh, so now running Windows at home on my own PC is a "service"?
  There's another reason to move to Linux.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
51. Re:If by JustAnotherOldGuy · 2016-05-26 03:20 · Score: 1
  
  Then, when you get hacked, you'll take to the Internets to whine about how MS allowed you to have an insecure password that made you get hacked.
  
  Wrong, but thanks for playing.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
52. Re: If by bondsbw · 2016-05-26 03:33 · Score: 1
  
  What would be the rationale to not implement this in all Windows systems?
  For the same reason they allow you to have a blank password in Windows but not for Microsoft accounts.
  
  --
  All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
53. Re:If by AmiMoJo · 2016-05-26 03:49 · Score: 1
  
  Have you looked at Windows 10? It's a service, you own nothing. That's one reason why I'm not running it.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
54. Re:If by pr100 · 2016-05-26 04:08 · Score: 1
  
  Well - if they allow "old" common passwords back in after a while then you're right, but if you retain the list of previously common passwords and continue to disallow those (which is probably more sensible) then you don't get that situation.
55. Re:If by mysidia · 2016-05-26 04:16 · Score: 1
  
  What's even better is that your big database of CRC32 hashed passwords will be an absolute treasure trove for the hackers that download your data.
  The point of using CRC32, or actually, 64-bit would probably be better, is that there are many different combinations which will hash to the same password.
  The reason to use a hash that is not salted and has many collisions is to allow easy comparison of a candidate password against a blacklist; without making the hash itself capable of being used to crack the password.
  For example: If you try to "brute force" a CRC64, you will actually find trillions of possible passwords that could have the same hash value.
  The downside of using high-collisions, is you will have false positives --- you will reject/block some passwords which are actually strong and unique.
  There are alternatives that could be used instead.... for example saving the result of an UNSALTED but HARD hash, such as many rounds of SHA256 but no unique salt. Also, TLS/SSL could be used to encrypt the transmission of the hash to the approval server, And the approval service could keep them encrypted at rest.
  The approval service could use a hardware security module to secure access to Hashes which are known but not yet on the banlist
  The communications to the approval service could use Public-key crypto on top of TLS/SSL, additionally, with a hard-coded Public key of trusted approval services.
  Once a hash is on the banlist, then it is no longer sensitive information (Because all passwords with that Hash have been flagged as needing to be changed, it can be distributed safely).
  There are other concepts that COULD be used to transfer the substance of a password without revealing the password, such as Fast-Fourier Transform, and techniques mentioned in some research papers that describe using Self-Organizing Maps and machine learning to help automatically detect and reject weak passwords.
  Then the known weak ones could become part of a training set, AND the Self-Organizing map, or Neutral network can be distributed to On-Premise servers as a Blueprint for passwords to reject, without having to explicitly disclose a "Banned hashes list".
56. Re: If by Ol+Olsoc · 2016-05-26 04:28 · Score: 1
  
  What would be the rationale to not implement this in all Windows systems?
  For the same reason they allow you to have a blank password in Windows but not for Microsoft accounts.
  Try again - explain why they won't do this, not why they are doing something that they might allow at the present time.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
57. Re: If by MobileTatsu-NJG · 2016-05-26 05:00 · Score: 1
  
  Everything should be Open Sourced*.
  * except Microsoft products for reasons that weren't important until this came up.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
58. Re:If by JesseMcDonald · 2016-05-26 05:17 · Score: 1
  
  Don't worry, Windows 10 has an option to use a strong secure 4 digit PIN number instead of a weak 8 alpha-numeric characters consisting of upper, lower case letters, numbers and at least one special character!
  It's not really as bad as you're making it sound. The account still has a password, and the PIN can only be used to log on as a local user. That makes it a form of two-factor authentication—you have to have physical (or at least console) access to the computer in addition to the PIN. If you guess wrong enough times the PIN is disabled and you have to provide the full password.
  You wouldn't want to rely on it for disk encryption, of course, but if you can effectively limit the number of failing login attempts, even a four-digit (random!) PIN can provide more than enough security for authentication. If Microsoft made a mistake here, it was in not forcing the PIN to be random. User-provided PINs (and passwords) tend to be fairly predictable.
  
  --
  "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
59. Re:If by Anonymous+Cow+Ward · 2016-05-26 06:27 · Score: 1
  
  Neither do I, but does that mean that MS should be able to force me to use one that they consider "strong"?
  Yes. Many places set password requirements, including what cannot be part of your password (username, birth date, previous passwords, etc.). If you don't want to follow their password rules, don't use their services.
  
  --
  Examine even your most deeply held beliefs. Nobody is always right.
60. Re:If by Anonymous+Cow+Ward · 2016-05-26 06:29 · Score: 1
  
  If you're using a Microsoft Account (rather than a local Windows account), then yes, it is. However, these rules don't seem to apply to local Windows accounts, at least not yet.
  
  --
  Examine even your most deeply held beliefs. Nobody is always right.
61. Re:If by ewibble · 2016-05-26 06:57 · Score: 1
  
  Or people just writing them down and putting a sticky note on the computer, or a note on their cellphone.
  They did this sort of thing with my phone pin, guess what? When I needed it I never remembered it.
  Also I don't see why I need my password to log onto my computer be the same as my Microsoft account, or logon for most home users to even be accessible from anywhere accept the keyboard attached computer.
  Any data I keep on the cloud, without further encryption I consider not secret.
  Warn people that their password is insecure by all means, but disallowing it is just Microsoft saying we know better than you, we will force you to do what we want. Just like when you turn of your computer, installing a software upgrade, you couldn't have somewhere to be that is more important than installing a service pack right now. Or automatically installing Windows 10.
62. Re:If by Agent0013 · 2016-05-26 07:07 · Score: 1
  
  Better add a login to the XBone startup also then. We don't want people to be able to use your gaming system while you are away or sleeping. Seriously, that is all I use my Windows system for. A password is just an extra hassle for me (Steam controller from the couch with no keyboard) and an even bigger hassle for my kids when they start to game more.
  
  --
  
  -- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
63. Re:If by thegarbz · 2016-05-26 07:21 · Score: 1
  
  This only affects Microsoft Accounts and Azure AD, not local Windows accounts.
  You know what the error message says on Windows 10 when you type your password incorrectly?
  "Your password is incorrect. Make sure you're using the password for your Microsoft account. You can always reset it at http://account.live.com/passwo..."
  For most common folk their Windows 10 logons ARE their Microsoft accounts. Even some Slashdotters who should know better believe that you can't run Windows 10 without linking to a live account because they didn't find the tiny text in the bottom left of the screen during setup which allows you to setup a local only account.
64. Re:If by thegarbz · 2016-05-26 07:25 · Score: 1
  
  Neither do I, but does that mean that MS should be able to force me to use one that they consider "strong"?
  Are you really asking this question in 2016? I think the last time I was able to pick my own password for an online account without some restriction on length, complexity or some other bullshit was close to 20 years ago.
  Whatever the answer to your question is, not only has the horse bolted from the stable, but all your farm animals have left, gotten together, had children, and some even died of old age before you tried to close the stable door.
65. Re:If by thegarbz · 2016-05-26 07:26 · Score: 1
  
  The bitter irony is that the password of 12345 has more entropy than the pins they are proposing. Dark Helmet's luggage is now more secure than your windows account.
66. Re: If by bondsbw · 2016-05-26 07:58 · Score: 1
  
  Because there's no evidence that it is going to happen. I haven't seen any blog posts, announcements, or articles related to what you said.
  Your assertion is a slippery slope. You are committing the logical fallacy, so the burden is on you.
  
  --
  All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
67. Re:If by jandrese · 2016-05-26 08:16 · Score: 1
  
  Isn't that going to drive your users crazy? I created a 27 character password with no two characters of the same class together and all 5 classes of characters represented and nothing like a real word or anything that makes it possible for a mere mortal to memorize it and the system still rejected me!! (because it hashed the same as 12345).
  
  But the bigger point is that when hackers do steal your database, they're going to run their GPU based password crackers against your cheap hash list and come up with a nice dictionary of possible passwords real quick. They can then do the slow hash checks against that list to find the actual passwords. You are defeating the computational complexity protections built into password hashes.
  
  --
  
  I read the internet for the articles.
68. Re:If by mysidia · 2016-05-26 09:30 · Score: 1
  
  But the bigger point is that when hackers do steal your database
  As noted: it's not necessary to record the data in a manner that makes it possible for hackers to steal.
  You assume it would be possible to grab some file and get a list of hashes, but it is not necessary for that to be the case.
  The memory storage can be structured so that it is impossible to determine what the hashes actually are; HOWEVER, If you are presented a hash as an Input, then it is possible to determine whether or not the hash already exists within the dataset.
  The short of it is, that you wind up with a tree/associative-memory structure that adjusts elements of the tree when a new hash is added to the dataset.
  This can also be implemented in hardware using logic gates, So there simply is no operation to "Recover a hash that is in the system". You must know what the hash is to provide as input, in order to be able to ask the question, whether the hash is in there (another account has already set that password), or not....
69. Re:If by jandrese · 2016-05-26 10:30 · Score: 1
  
  If you have hardware that is 100% impervious to hackers then you don't need all of this hash nonsense in the first place. Just store the raw passwords.
  
  --
  
  I read the internet for the articles.
70. Re: If by Ol+Olsoc · 2016-05-26 13:07 · Score: 1
  
  Because there's no evidence that it is going to happen. I haven't seen any blog posts, announcements, or articles related to what you said.
  Your assertion is a slippery slope. You are committing the logical fallacy, so the burden is on you.
  I already explained myself two posts ago. it fits in well with what they have been doing lately. It isn'r saying they have done it - although they have in one instance. TO put it as short as possible, a company that allows people that know people that you have allowed to access your wireless router, not necessarily people you know, is certainly capable of forcing a less batshit insane requirement on people.
  All I'm saying is that it wouldn't be surprising in the least. No need for logical fallacies, and met the burden - not of proof because they aren't doing it at present, but I explained my rationale. Read better. psssst - you forgot to add strawmand and the Chewbacca defense.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
71. Re:If by RockDoctor · 2016-05-27 10:31 · Score: 1
  
  If your system has a spelling checker, then simply run any submitted password through that (locally, not online). If there isn't a pselling checker (that was accidental. But WTF, I'll let it stand.), then not long after installation, compile a list of text files and-or PDFs, parse them into words, and use that as your dictionary (repeat occasionally).
  If it's in the dictionary, it's not allowed. Then add other rules.
  Microsloth might be reacting slowly to a perceived problem, but they are doing some sort of reaction.
  You'll note that my suggestion doesn't include any component of transmitting the dictionary online. That's deliberate. Cut the cord, install your OS from DVD, start adding your data from back-up, and at some point the customised dictionary starts to be compiled.
  I'm sure that there are better schemes out there - I've read Zimmermann's "snake oil" warnings. But it's a start (as is this action from Microsloth.)
  Someone is going to call me a Microsloth fanboi now. Well, I'm typing on a Trisquel machine, and I burned Fedora onto a Win-10 machine last week.
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
The more password rules you make... by Ecuador · 2016-05-25 13:47 · Score: 4, Informative

While not allowing "common" passwords is not the worse idea, in general the more password rules you make, the worse passwords you'll get. In the end people end up writing them on post-it notes...
Doesn't Microsoft own Skype? Cause I was trying to make a Skype account a couple of years ago and tried first concatenating three weird Greek words transliterated to latin. I don't remember which words exactly, in any case, the password was rejected as too weak. Yeah, try cracking something like "poliefkoloskodikos" (aka "veryeasypassword"). It rejected a couple of others as well (it did not give you a specific reason - perhaps it would if I was on a desktop) and in the fourth try accepted something as simple as "river1". How is this kind of policy helped by banning e.g. "password1", that is not the problem.
Oh, my "favorite" password rules are the ones that reduce the search space for potential hackers.
For example, I have one bank account that requires the password to start with a number. I have network security camera that doesn't accept over 8 characters and the list goes on...

--
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
1. Re:The more password rules you make... by Lehk228 · 2016-05-25 14:10 · Score: 2
  
  you were running into the basic "must have letters/numbers/caps filter
  
  --
  Snowden and Manning are heroes.
2. Re:The more password rules you make... by Zarhan · 2016-05-25 17:35 · Score: 4, Insightful
  
  In the end people end up writing them on post-it notes...
  I'm not so sure this is a bad thing. Post-it notes still require physical access to the post-it-note. Which is pretty hard for a random bruteforcer to access over the Internet.
3. Re:The more password rules you make... by Tom · 2016-05-25 18:27 · Score: 1
  
  While not allowing "common" passwords is not the worse idea, in general the more password rules you make, the worse passwords you'll get. In the end people end up writing them on post-it notes...
  Not if you are smart about it. Yes, if you just add rules, this is what will happen. Been there, given speeches about it. But if you adopt a few good rules, you can actually improve password security a lot.
  And not allowing 123456 as a password is such an obvious step, I wonder it took so long. Don't they hire anyone with a brain at Mickeysoft?
  
  --
  Assorted stuff I do sometimes: Lemuria.org
4. Re:The more password rules you make... by houghi · 2016-05-26 00:37 · Score: 2
  
  The issue with passwords is that we need so many of them.
  IT people only look at the one access you get and make that safe to enter. They basically have a technical solution (login and password) for a social problem (people getting access to things they should not have) and that will not work out well.
  So what do IT people look ate? The technical side. What they forget or see as a burden is the human side. They are not interested that I now have not only manyplaces I need to login. In many places I also am unable to select my own login.
  At one place I worked I had 17 different logins from different types of access and several keys to type in a code as well. You bet I wrote shit down.
  To me all to often the reason for passwords is so that the IT department can say: well, WE did our best, so you can't blame us so sue or fire somebody else. And not look at a real solution.
  And no, I am not able to have a password keeper program as on most systems I am not allowed to install anything and I am not always on the same location, nor do all have access to the Inetrtubes.
  
  --
  Don't fight for your country, if your country does not fight for you.
5. Re:The more password rules you make... by The-Ixian · 2016-05-26 02:57 · Score: 1
  
  I feel your pain. I think it is so dumb how systems limit the length of a password to some arbitrary size. Is it really that much harder to store a 32 character password than it is to store an 8 character password? Come on.
  I use a password manager in lieu of the post-it but I do find it very aggravating that sites won't even let me use a randomly generated long password.
  
  --
  My eyes reflect the stars and a smile lights up my face.
I very much doubt by Maxo-Texas · 2016-05-25 14:13 · Score: 1

that they are going to ban agb12!!Htx7362bad.
Oh crap.

--
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
1. Re:I very much doubt by Tablizer · 2016-05-25 15:24 · Score: 1
  
  Gesundheit.
  
  --
  Table-ized A.I.
Microsoft Account = PC by SeaFox · 2016-05-25 14:18 · Score: 1, Interesting

With Microsoft doing their best to get people to use Microsoft Accounts on their Windows installs, that means people will soon be required to get approval from Redmond for the password they use to get into their own in PC in their own home.
1. Re:Microsoft Account = PC by CanadianMacFan · 2016-05-25 14:55 · Score: 1
  
  Or maybe it could refer to all of their online accounts such as Hot Mail, Xbox accounts, etc.
2. Re:Microsoft Account = PC by SeaFox · 2016-05-25 21:51 · Score: 1
  
  Or maybe it could refer to all of their online accounts such as Hot Mail, Xbox accounts, etc.
  A Microsoft Account is a login for Hotmail and XBox, and your PC, too if you didn't dig for the Local Account option during setup. That's the point.
3. Re:Microsoft Account = PC by budgenator · 2016-05-26 04:58 · Score: 1
  
  So many things at work are just completely cock-blocked without using a Microsoft account to login. While I was laid-off they hired a consultant to do the "upgrade" and provide management services, all of the hardware from this supposed "Authorised Dell Reseller" wasn't and everything was set up in the most obtuse, arcane and fragile manner possible to insure that he would be the only one the could install hardware or administer the system for billable hours. We ended up paying twice for Win Server 2008 and MSSQL to legitimatise our license with Microsoft, everytime the developer licence period ended the DHCP server stopped, so even our IP telephone stopped working when the leases expired.
  Now this asshole has split to the winds, and I'm left with nursing this abomination along. The Bosses ex-husband is a freakin HP Infrastructure Specialist, a Professional, Certificated Windows Administrator working full time supporting fortune 500 companies and he gets stumped by the crap I'm dealing with too.
  Sooner or later all windows systems are going to be too locked up to do anything without an Microsoft account so you might as well join the Borg because resistance is futile.
  
  --
  Apocalypse Cancelled, Sorry, No Ticket Refunds
4. Re:Microsoft Account = PC by CanadianMacFan · 2016-05-26 07:07 · Score: 1
  
  And not everyone has a Windows box for the account to be a login to those other services. I haven't used a Windows where they try to link those services to the local account but I still have a hotmail account as a burner.
5. Re:Microsoft Account = PC by SeaFox · 2016-05-26 18:37 · Score: 1
  
  You're missing the point of my original post, which is that people who don't even use Microsoft online services are now going to beholden to Microsoft's stupid password requirements simply because they got tricked into signing up for such an account when they got their PC. Lots of these people didn't even want a login of any sort on their computer to start with, but were forced into picking one when they upgraded from their ol' creaky XP machine when it stopped being supported.
  Even if you set up a Windows 8 or 10 PC with a local only account, if you try to use the Microsoft-included email application with your "burner" Hotmail account, the machine converts your local-only Windows user account into a Microsoft Account.
  I have a local-only Windows account and a Hotmail account I keep separate as well -- using Thunderbird.
  Would you still like a gold star, Timmy?
Use password strength as the criterion by Applehu+Akbar · 2016-05-25 14:24 · Score: 1

No ever-lengthening lists of bad passwords and no infernal fiddly rules about specific numbers of capitals and numbers and symbols, but a simple threshold of overall password strength according to one of the widely-accepted metering systems. Such a filter would automatically accept the random strings created by password manager applications, which would lead to more people using such programs to create good passwords.
1. Re:Use password strength as the criterion by Drishmung · 2016-05-25 14:40 · Score: 2
  
  That is essentially what they are doing. But, added to the simple rule based strength measure is a set of current rainbow tables. If they are throwing out the other silly rules, like mixed case, numerals etc and just looking at objectively weak passwords (a password in a rainbow table is objectively weak) then this sounds great.
  
  --
  Protoplasm. Quiet Protoplasm. I like quiet protoplasm.
LOLWUT by ArchieBunker · 2016-05-25 14:29 · Score: 4, Insightful

This is a first. Someone on Slashdot making an argument for weak passwords.

--
Only the State obtains its revenue by coercion. - Murray Rothbard
1. Re:LOLWUT by bloodhawk · 2016-05-25 14:47 · Score: 2, Insightful
  
  No it is someone with an Anti-MS agenda that doesn't care his argument is idiotic, as long as it goes against what MS is doing.
2. Re:LOLWUT by Darinbob · 2016-05-25 14:52 · Score: 1
  
  Not every account needs a strong password. Sure, if it's your primary windows account then lock it down somewhat. Otherwise you imagine the worst thing that can happen and if it's not too bad you don't stress over it. Sure there's panic that any windows account can cause the end of the world if they're able to send random email, but that can happen from the attacker's computer or a million other anonymous mail sites, big deal. Who needs a super strong password for their guest account?
3. Re:LOLWUT by budgenator · 2016-05-26 01:51 · Score: 1
  
  No we just know Microsoft, they'll go from crazy-stupid easy and insecure to crazy-stupid hard, so hard nobody will do it and will use an even more insecure work-around. Then when everybody get hacked Microsoft will blame the insecure work-around and not the insanity that drove people to it.
  
  --
  Apocalypse Cancelled, Sorry, No Ticket Refunds
4. Re:LOLWUT by Voyager529 · 2016-05-26 05:16 · Score: 1
  
  Because this is about microsoft accounts, aka Google Accounts, except by Microsoft. Now yes, the line blur comes with the fact that Win8/Win10 make it a bit of a challenge to create a local account rather than a Microsoft account when starting the computer, but let's take that out of the equation for a moment. A Microsoft account includes OneDrive storage, so think in terms of Dropbox allowing '12345' as a password. Microsoft accounts include webmail, which still support POP/SMTP, so hacked accounts = spam relays. Sure, none of those users are domain admins on the remote servers, but I see no downside to saying, "this is my house, play by my complexity rules".
5. Re:LOLWUT by dpidcoe · 2016-05-26 09:22 · Score: 1
  
  Arguing against forceably disallowing "common" (whatever your definition of that is) passwords is not the same as arguing for weak passwords. The more restrictions you put on passwords, the more search space you rule out and the more likely you make users to pick guessable passwords and/or re-use passwords.
What could possibly go wrong... by green1 · 2016-05-25 14:31 · Score: 4, Informative

"Microsoft has implemented a feature called smart password lockout, meant to add an extra level of protection when an account is attacked"
I've already fallen victim to this one. I had an @live.com email address that I used for things that were guaranteed to spam me. Things that needed a one time authentication and such. Unfortunately I made a typo once while trying to access the account. One typo, on one attempt. I've now been permanently locked out of the account.
They said they just need to verify that it's me, but there's no possible way to do so. They say I can give them a phone number to verify it, but they don't have my phone number on file in the first place. The next option was their account recovery tool, but it requires you tell them who you have sent mail to from the account, as I've only ever received mail in this account, and never sent anything out, I can't do that. I submitted the form anyway, but they tell me that they can't verify that I'm me so they won't unlock the account.
Mostly I can just create another throw away account, but unfortunately another service took this opportunity to try to "re-verify" me by sending an email to this now locked out account, and because I can't get that email, I'm also locked out of the other service.
Of course I should have known better, what idiot uses Microsoft for ANYTHING????
1. Re:What could possibly go wrong... by Registered+Coward+v2 · 2016-05-25 15:06 · Score: 1
  
  Of course I should have known better, what idiot uses Microsoft for ANYTHING????
  90% of the user base
  
  --
  I'm a consultant - I convert gibberish into cash-flow.
2. Re:What could possibly go wrong... by subanark · 2016-05-25 15:17 · Score: 2
  
  Great sob story, bro. There are ways to set up recovery, you weren't really impacted by getting locked out, and you didn't state how it could have been better.
  PS: There are lots of "throw away" email services that are just for doing what you want to do.
3. Re:What could possibly go wrong... by green1 · 2016-05-25 15:20 · Score: 1
  
  Ok, I'll state clearly how it could be better.
  Don't lock your users out when they make ONE typo!!! I've never seen any other service anywhere, ever, that doesn't allow at the very minimum 3 password attempts.
4. Re:What could possibly go wrong... by green1 · 2016-05-25 15:43 · Score: 1
  
  I could go further too,
  If you offer a recovery option, let users recover with the information that's on file. If they didn't give much info, then it's going to be less secure, but that's the user's choice.
  I could give them my full name, date of birth, city, year that I created the account, and oh yeah, MY PASSWORD! Not to mention I could have told them who I had received mail from, just not who I sent it to (because I hadn't sent any email!)
  None of that was good enough.
5. Re:What could possibly go wrong... by jader3rd · 2016-05-25 16:32 · Score: 1
  
  What do you propose should be done differently to keep accounts safe?
6. Re:What could possibly go wrong... by Deathlizard · 2016-05-25 16:48 · Score: 3, Informative
  
  Microsoft (or Google for that matter, just not as bad) doesn't play games with their account credentials anymore. You have to have an out of network way to verify your account or you're going to lose it. Either through a Phone number or another Email address, and dammit make sure its up to date.
  Also the two factor app that MS has for android is one of the best I've used when it comes to ease of use and how it's implemented. it's pretty much make sure the code on the PC matches the code in the authentication window and click approve on the phone if it does. No typing verification numbers like most authenticators. so it's a good idea to use that too since it will let you in if all else fails.
  This account protection of course makes it a pain with windows 8 or 10 users that use MS accounts for credentials. Half of the time they use stupid pins for their passwords and forget their real password, and MS doesn't like that sort of thing to adjust account settings. Especially if you got to refresh the PC. Just about once a week I have a conversation that goes something like
  (Me) Whats your password for your PC?
  (grandma) It's 1111
  (Me) No that's your pin. I need the password
  (grandma) but it lets me in the computer so that's my password
  (Me) (Three minute explanation of the difference between a pin and a password)
  (grandma) oh... well, I don't know it cause my grandson set it up. (or its in my password book buried at my desk) can you reset it?
  Then you find out that their recovery creds were an old Email and phone number from a DSL/Phone provider they no longer have and have to go through the account verify process of shame that the Parent post went through, which never seems to work until you submit it 3 or more times regardless of how much info you put in the thing.
  
  --
  In Soviet Russia, Trojan exploits YOU!
7. Re:What could possibly go wrong... by Ol+Olsoc · 2016-05-25 16:57 · Score: 1
  
  Great sob story, bro. There are ways to set up recovery, you weren't really impacted by getting locked out, and you didn't state how it could have been better.
  PS: There are lots of "throw away" email services that are just for doing what you want to do.
  And there are services that don't have stupid always your fault - never Microsoft's problems.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
8. Re:What could possibly go wrong... by Ol+Olsoc · 2016-05-25 16:58 · Score: 1
  
  Ok, I'll state clearly how it could be better. Don't lock your users out when they make ONE typo!!! I've never seen any other service anywhere, ever, that doesn't allow at the very minimum 3 password attempts.
  No point in arguing with them - nothing is ever Microsoft's fault by decree.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
9. Re:What could possibly go wrong... by houghi · 2016-05-26 00:53 · Score: 1
  
  I use gmx.com as a spambox. I also have my own doamin, so I use aliasses like slashdot.org@example.com
  So my process is to use the spam adress for the first subscribtion of e.g. slashdot.org. Then when I see it is something I would like to keep, I make an alias slashdot.org@example.com
  That way the spam is send to the spambox. If they decide to sell the adress, I delete the alias (Hi Ebay) and be done with it. If the access to the spambox is lost, nothing of value will be gone as the important sites already send it to me.
  Till now (over 10 years) Ebay is the only one where I have removed the email adress and will no longer do any business via them. I think I have 30-40 aliases or so.
  If I go on a trip and I need reservations in several hotels, I make an email like trip2016@example.com and have everything neatly together.
  I do not like to be dependent on one party, so the DNS and web hosting is not even at the same company, so if one screws up, I can leave at the turn of a dime.
  
  --
  Don't fight for your country, if your country does not fight for you.
Re:Rogue pathc to circumvent this in..... by Anonymous Coward · 2016-05-25 14:45 · Score: 2, Informative

This will be instantly patched around with either a registry edit or a binary rogue patch available for download.
This is a Microsoft Account / Azure Active Directory, not a local Windows machine user account. Since they're cloud-based services, a local patch won't work.
Password not accepted by CanadianMacFan · 2016-05-25 14:59 · Score: 3, Funny

Your new password is not accepted. Please install Windows 10 and try a new password.
This affects their bottom line by subanark · 2016-05-25 15:04 · Score: 1

This rule is for Azure. Since Microsoft needs to maintain a reasonable reputation for their customer service being flexible, they will often refund fraudulent use of their service which costs them money.
PS: Don't try to argue that Microsoft doesn't have reasonable customer service, I can name many other companies with horrible CS, and many sob stories from companies like Amazon who are rated as having excellent CS.
Splainzit by Tablizer · 2016-05-25 15:10 · Score: 1

I was wondering why "fuckmicrosoft1" stopped working.

--
Table-ized A.I.
123456 by Known+Nutter · 2016-05-25 15:13 · Score: 1

That's fine, Microsoft.
But what about my luggage?

--
Beware of the Leopard.
Re:idiot by green1 · 2016-05-25 15:15 · Score: 1

Yes I give every random website on the internet my phone number... why not?
Don't see this turning out too good for Microsoft by chr1st1anSoldier · 2016-05-25 15:25 · Score: 1

I understand why Microsoft is doing this, but I just don't see this ending well for them. I would set temp passwords for new hires to things like $$Znxa1543 and they would almost murder me. The users would complain, the managers would complain, everyone would just complain that the passwords were too hard. For some reason some users just can't remember anything more complex than something like "May-2016" or some such like that. All Microsoft is going to do is force these people to set passwords they will never remember and wind up with millions of locked accounts and millions of unhappy people.
Come on, already by hcs_$reboot · 2016-05-25 16:27 · Score: 2

Microsoft bans your favorite passwords, microsoft forces you to update to v 10 even though you said "fuck off", MS does this, MS does that. For chrissake, use something else, another OS!

--
Slashdot, fix the reply notifications... You won't get away with it...
1. Re:Come on, already by gosand · 2016-05-26 05:15 · Score: 1
  
  Password security is system agnostic. It isn't just Microsoft. I applaud their efforts here, but they are just that. Nothing ground-breaking.
  Here's an idea... teach people how to create better passwords! Don't just restrict them to X number of characters or say you have to use capitals and numbers.
  I remember some fairly secure passwords from 20 years ago. We had an intern who left, and he gave me his unix password in case I needed it.
  It was CIrpotb, It was the first letter from each word in the lyric in the song Jeremy "Clearly I remember picking on the boy," and included the comma.
  I have used a similar method. Here's how:
  1. Pick something significant to you that you will not forget. Let's say you saw your first girlfriend's hot mom in the nude. Her name was Alice. Aliceboobs
  2. Throw in some caps. AliceboobS. Then some numbers and punctuation. Aliceb00bS!
  Done
  So when you have to change it, bump up the 2nd number. Aliceb01bS! Aliceb02bS!...
  If you just go from 00 to 09 and back, you have 10 iterations. If you go to 99 you have 100.
  Need to keep a reminder on a post-it? write milf18!
  That means Aliceb18bS!
  Need to answer a security question? What was the name of your first pet? milf18! easy reminder
  You only need to modify a few characters to get a new secure password that only you know the story behind.
  Find your own event, make up your own rules. Anyone can do it.
  (note: that is NOT the story behind my password, but the story is true) :)
  
  --
  
  My beliefs do not require that you agree with them.
2. Re:Come on, already by thegarbz · 2016-05-26 07:30 · Score: 1
  
  Microsoft bans your favorite passwords
  Of all the things on your list to this one I say "good fucking finally". I find it hard to fault Microsoft for this move. Dare I say I praise them? I would praise them but I get the feeling that with all those Windows 10 accounts linked to a live account that this is going to cause a lot of shit for a lot of people. So I say "Praise to those worthless scumsucking bastards"
Eastern Europe by BradMajors · 2016-05-25 16:45 · Score: 1

If Microsoft really was interested in my account security they would ban any account access from Eastern Europe. I have no plans to ever travel to Eastern Europe while logs show that almost all the hacking attempts to my accounts are coming from Eastern Europe.
If Netflix can do it, why can't Microsoft and LinkedIn?
1. Re:Eastern Europe by subanark · 2016-05-25 17:42 · Score: 2
  
  This doesn't solve much. You just force the armature hackers to use proxies, which makes it more difficult to do forensic analysis. At the same time you prevent that 1/1000 person who is traveling to Russia and needs to access their account. Sounds like a lose-lose situation to me.
Re:idiot by Ol+Olsoc · 2016-05-25 16:55 · Score: 1

they don't have my phone number on file in the first place.
this is your failure, not theirs
Fortunately, he can move to systems where he doesn't do that stupid shit.
THat's always the problem with Microsoft, a lot of people have a lot of problems, but it's never never Microsoft's fault. Meh.

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
I'll just use crypt() by OrangeTide · 2016-05-25 18:28 · Score: 1

I'll take the crypt() output of my favorite password and use that instead. papAq5PwY/QQM

--
“Common sense is not so common.” — Voltaire
They should know! by gavron · 2016-05-25 20:24 · Score: 2

Microsoft leads the world in insecure software, so on the 20th anniversary of Windows 95 it's good they're working to help.
On the other hand any time you decrease keyspace by creating arbitrary rules ("Must contain this", "must contain that")
you constrain an otherwise limitless keyspace and make it easier to guess.
I want to wish them well... because it appears they are well-intentioned. Sadly, they are still incompetent.
Want to make stronger passwords? Don't REQUIRE people to use specific parts of the keyspace.
Want to make stronger systems? Don't make your Win95/Win98/WinME/Win2K/WinXP/Vista/7/10 compatible with DOS so people can pwn your users.
pam_cracklib.so by Anonymous Coward · 2016-05-25 20:34 · Score: 1

Really, how different is this to linux's pam_cracklib.so policies when you change your password on those systems that have this module enabled?
Microsoft password ban by colincarter · 2016-05-25 21:21 · Score: 1

Is it true? Why would they ban, there are lots of common passwords people use, is there any notification or official announcement?
Great! by allo · 2016-05-25 23:05 · Score: 3, Insightful

"Your password is weak, because 3 Million Users are already using it"
Cool, i found a common one! Lets try to use it on billgates@hotmail.com! Gotcha!
A whole new way to update your wordlists.
How did they find out... by GreatOldOne · 2016-05-25 23:37 · Score: 1

...that my favorite password is "Micro$oftSux"?
Re:Hang on by bloodhawk · 2016-05-25 23:56 · Score: 1

If you don't want them dictating what you can do then don't use there cloud services for fucks sake,. They are there services they can do as they wish, you on the other hand get the choice, you don't like strong security policies for online services then use one of the competitors.
Oh rats by AndyKron · 2016-05-26 00:00 · Score: 1

So I can't use FuckMicrosoft123! anymore?
10^4 by wkwilley2 · 2016-05-26 01:15 · Score: 1

Microsoft is taking a step to better protect users by banning the use of weak and commonly-used passwords across its services.

Please enter your 4 digit pin in order to login to your computer, you know, where all your personal information is stored?

--
Have you ever fallen asleep at the keybhanusdiog?
Re:Hang on by The-Ixian · 2016-05-26 02:23 · Score: 1

Dang it, why can't I use Windows to chop onions?! MS always telling me what I CAN'T do with their system! Jerks!
There are already tons of systems where I cannot use a particular password because it doesn't meet complexity requirements... why is this different than that?

--
My eyes reflect the stars and a smile lights up my face.
Re:Hang on by tsa · 2016-05-26 02:39 · Score: 1

There are nerds on /. who are not programmers, you know.

--
-- Cheers!
Usernames ? Passwords ? by stooo · 2016-05-26 04:24 · Score: 1

After banning common usernames, now they ban passwords....
https://support.microsoft.com/...

--
aaaaaaa
Re:Don't see this turning out too good for Microso by budgenator · 2016-05-26 05:08 · Score: 1

Wait until their installed software require those unremembered and unretrivable accounts to confirm their licences and they have to buy new software.

--
Apocalypse Cancelled, Sorry, No Ticket Refunds
Strong Password Problem by SeattleLawGuy · 2016-05-26 05:32 · Score: 1

You can honestly not think of any reason why a strong password is not always required?
Once the password gets too complex, I believe people become more likely to (1) write it down and (2) use the same strong password for everything. Those may or may not be more of a problem than a weak password, depending on your attack profiles. Certainly they are less of a problem than the ten most common passwords.
Two-factor authentication helps. Text message verification helps. IP-based verification helps. Security questions help. It's about reducing the possibility of compromise. You can't actually prevent all compromise, although physical tokens like synchronized pre-seeded RNG generators not connected to the net aren't terrible at it, for example.

--
Real lawyers write in C++
1. Re:Strong Password Problem by Darinbob · 2016-05-26 06:16 · Score: 1
  
  But you don't need to put 20 locks on your backyard tree house. If I ever had a twitter account, I would not care if it as compromised, it is literally of zero importance to me. As long as my password isn't related to those I use on something important. Ok, so they hack into twitter, follow that to break into instagram, use that to defame people under my pseudonym on reddit, and so forth, and after all of that nothing of any value was lost!
  Put high security on stuff that needs high security: your online banking (better to do that in person though), anything that has your credit card number (if you're dumb enough to click the "remember my card details" button).
  Put medium to high security on stuff that has personal information you don't want to get out: social security numbers, home address, your real name, your children's name.
  Put low security on stuff that's irrelevant in the long run: your comments on stackexchange, your Morris dancing blog, the account you created before a hardware company let you download datasheets (though using bugmenot for that works too).
  But if you treat everything online as requiring high security then you start losing security overall. Like you said, too many hard passwords and you ask your browser to remember them, or get some password management software. And yet so many utterly irrelevant web sites have the tougher password restrictions than online banking.
storing passwords by just+another+AC · 2016-05-26 05:54 · Score: 1

So if they ban common passwords, then they are both:
reading my passwords
storing my password, along with some kind of counter, to work out the most common passwords.
Otherwise they are only banning PRESUMED common passwords
Common passwords as moving targets by luis_a_espinal · 2016-05-26 08:39 · Score: 1

If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?
Why not? It would be within the company's capacity to maintain a dictionary of hashes (not the actual passwords) from where to determine the most common passwords at any given time. Then you ban them. It is a moving target.
For example, think about a Windows group policy that does not let you reuse a password. This is a perfectly reasonable strategy. That is possible for members of a domain, but prohibitive for a global audience. So an extension to the idea is to look for indications that your password is among the most common ones and ban it.
This could imply that what is not banned today can be banned tomorrow, and that what is banned today might not be in the future. This notion could be relaxed by enforcing the ban only on new passwords. If your current password happens to become a common one in the future, you still keep it, but any new password from another principal matching yours would get banned.
I don't see what the fundamental, fatal problem is here. Like all strategies, it has its pros and cons.
Hume's Guillotine by luis_a_espinal · 2016-05-26 08:44 · Score: 1

I don't want your account with a weak password to get pwned and send me spam or phishing emails.
Neither do I, but does that mean that MS should be able to force me to use one that they consider "strong"?
Most accounts aren't cracked by password guessing, most are pwned by malware and keyloggers. You do know that, don't you?
Is their system, so they can set the rules. If we don't like them, we can go somewhere else. The same applies to gmail or yahoo or whatever. Applying "should" to the question is pretty much threading into "is/ought problem" land.
1. Re:Hume's Guillotine by JustAnotherOldGuy · 2016-05-26 10:56 · Score: 1
  
  Is their system, so they can set the rules.
  
  But it's not their system.
  It's my PC, and nothing in their TOS that I can find states that I need to have it connected to the internet in order to use any of their services or "system".
  If I'm using their email or online services then yes, they have the right to enforce whatever password restrictions they like.
  But on my PC, I should be able to use any password I want, even a stupidly simple one, or none at all.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
2. Re:Hume's Guillotine by luis_a_espinal · 2016-05-27 01:44 · Score: 1
  
  Your PC is accessing remote servers for license validation, you get upgrades over the internet. You do not own the OS, you own a license to use it. I am not saying what is right or wrong (I don't fall for is/ought fallacies). I'm simply stating the state of things. We can choose not to deal with these things by not using MS software (with all the pros and cons of such choices.) It is a matter of choices, not necessarily the choices you, the generic you, want, but the ones that exist.
Re:They banned all of mine... by ebvwfbw · 2016-05-27 17:11 · Score: 1

Now you're being silly. Here are some actually banned because they are way too common:
BillGatesHasMouseBalls
Bill Gates Has Mouse Sized Balls
Microsoft_sucks
BillGatesMeetsJesus
Password hell by ebvwfbw · 2016-05-27 17:15 · Score: 1

Strong passwords are great. However I've had some systems and Solaris was one of them where the setup checking for bad passwords was way to strong. Anything I typed in it said had a word in it. Even if it was the first 20 chars of a MD5 hash. Really sucks when you spend about 30 minutes coming up with something it'll take. Sometimes I simply did a real password on a Linux machine and then pasted the hash into the Solaris box defeating them. So there.
This could become the same situation. You'll have to write it down.