Microsoft May Ban Your Favorite Password

wiredmikey writes from a report via SecurityWeek.Com: Microsoft is taking a step to better protect users by banning the use of weak and commonly-used passwords across its services. Microsoft has announced that it is dynamically banning common passwords from Microsoft Account and Azure Active Directory (AD) system. In addition to banning commonly used passwords to improve user account safety, Microsoft has implemented a feature called smart password lockout, meant to add an extra level of protection when an account is attacked. [Alex Weinert, Group Program Manager of Azure AD Identity Protection team explains in a blog post that] Microsoft is seeing more than 10 million accounts being attacked each day, and that this data is used to dynamically update the list of banned passwords. This list is then used to prevent people from choosing a common or similar password. Microsoft's new feature comes after last week's leak of 117 million LinkedIn credentials.

If

[liqu1d]

If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?

Re:If

[burtosis]

If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?

Absolutely! In no time flat this Microsoft problem should fix itself.

Re:If

[JustAnotherOldGuy]

Obviously Microsoft knows what's best for us, regardless of what we want.

Maybe I *want* to use a weak password, what business is it of theirs to tell me I can't? If they want to warn me that I have a weak password, fine. But to prevent me from using it? That's just bullshit.

Microsoft is continually tightening it's grip on its customers freedom to do what they want, so I guess this really shouldn't come as a surprise.

Re:If

[Jeremi]

If you ban common passwords. Then you end up with a new set of common passwords.

Is there any evidence that the above assertion is true?

Re:If

lol. The MS hate is so strong on slashdot that people hate even moves that SHOULD make nerds happy.

What's wrong with you all ? We constantly talk about how weak passwords are stupid.

Pull your head out of your zealot ass.

Re:If

[PhunkySchtuff]

I don't want your account with a weak password to get pwned and send me spam or phishing emails.

Re:If

Oh come on, this isn't a bad thing. If Ubuntu refused to let you use 123456 as a root password, everyone on Slashdot would say "of course". If Microsoft does it, they're idiot facists who don't understand anything. Slashdot is sometimes just an embarrassment.

Re:If

[Your.Master]

Obviously Microsoft knows what's best for us, regardless of what we want.

In this case, literally yes, they do.

Maybe I *want* to use a weak password

And maybe you want to jump into the swimming pool wearing full platemail armour but the lifeguard doesn't have to let you, and in fact should not let you.

what business is it of theirs to tell me I can't?

It's literally their business.

Re:If

[s.petry]

Haha, that was funneh!

On point however, how many people don't care about how secure their passwords for Windows systems are? I have systems I could care less about, because they are either fully blocked by a FW or air-gapped. I don't trust Windows at all, so use a weak password when it fits me.

MS - attempting to chase all remaining customers away I guess.

Re:If

[ShanghaiBill]

If you ban common passwords. Then you end up with a new set of common passwords.

Is there any evidence that the above assertion is true?

No. The system is dynamic. It does not use a fixed set of "common passwords", but instead adds passwords that are used in cracking attempts. If a cracker thinks it is common enough to try, then it likely is not a good password to use. Over time, the list will grow, but it is unlikely we will run out of possible passwords. If the passwords are 32 bytes long, and each can hold 100 different values, then that is 10^64 possible passwords, which is roughly ten billion times the number of atoms in the sun.

Re:If

[bondsbw]

This only affects Microsoft Accounts and Azure AD, not local Windows accounts.

Re:If

[Darinbob]

You can honestly not think of any reason why a strong password is not always required? I can think of reasons why jumping into a pool while wearing full platemail might be necessary (it's scene 23 in my movie script). I don't even have a password on my home computer, but then again no one breaking in remotely is going to be blocked by a Windows login screen either. They can break in locally of course but if that happens I have more serious matters to deal with than that they'll be able to look at some photos before wiping the drive and reselling it.

Re:If

[chr1st1anSoldier]

Lot's of Microsoft online stuff ties into Azure AD, like Office 365 for example. And, I sync my office local AD directory to Azure AD for our O365 so I'm kind of curious how this will effect synced AD databases.

Re:If

[MobileTatsu-NJG]

Oh come on, this isn't a bad thing. If Ubuntu refused to let you use 123456 as a root password, everyone on Slashdot would say "of course". If Microsoft does it, they're idiot facists who don't understand anything. Slashdot is sometimes just an embarrassment.

This comment should not have been modded down. Slashdotters don't even try to pretend anymore that they don't just react as if everything MS does is wrong by default, even when they compromise their own principals in the process. Hell, just a couple of days ago people were modded up for saying MS shouldn't Open Source VB. . Uh huh.

Re:If

[mysidia]

If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?

I vote for recording a Fletcher-32 and CRC32 checksum of every password that a user creates, and if 3 or more accounts in the entire system attempt to create a password that has the same Fletcher-32 and CRC32 checksum, Then (1) The password will be rejected and banned, And (2) The other accounts with the same F32 and CRC32 will be locked into a state where they will be forced to change password upon next login.

Also, they should give system administrators with On-Premise Active Directory installations an option to participate in the same system.

Also, when users are originally creating a password: Microsoft should submit the password to the PASSFAULT algorithm, And if Time to Crack shows as less than 1 Month, the requested password should be rejected, and the hash added to the banned list.

Re:If

[Ol+Olsoc]

If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?

Tht keylogger in Windows 10 is going to be a big help. What a great company.

Re:If

[Ol+Olsoc]

This only affects Microsoft Accounts and Azure AD, not local Windows accounts.

So far.

Re:If

[JustAnotherOldGuy]

I don't want your account with a weak password to get pwned and send me spam or phishing emails.

Neither do I, but does that mean that MS should be able to force me to use one that they consider "strong"?

Most accounts aren't cracked by password guessing, most are pwned by malware and keyloggers. You do know that, don't you?

Re:If

[pr100]

If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?

It doesn't follow. Common passwords are based on words in common use or things like calendar dates. If you disallow those, then it's reasonable to expect that the passwords will have a lot more variety.

Re:If

[onyxruby]

Depends, is it your personal account that isn't related to any organization? Then the least of risk is your account being used for spam. That's your best case scenario.

Quite often personal email accounts are tied as the password recovery to access secondary systems like banking passwords? Would you like your forgotten bank account password reset and a new one emailed to you? If you're lazy enough to use a common password chances are you reused that same password on other systems you have access to.

If it's your work account now I have access to a trusted account that can be used for fraud. Perhaps you work with sensitive data, or data that can be readily taken out of context? Perhaps your access can be used to embarrass your organization? It can also be used to identify spear fishing opportunities. It can be exploited to help gain access into your organization's network.

These aren't hypotheticals, these situations occur every single day. They are a leading cause of data breaches, and the same damn Pa$$w0rd set keeps showing up year after year. Frankly the only surprising thing will be if other major organizations don't follow by also banning very weak passwords.

Some reading on why this matters: http://www.verizonenterprise.c...

Re:If

[AmiMoJo]

Neither do I, but does that mean that MS should be able to force me to use one that they consider "strong"?

Yes, if you want to use their service. Just like the TOS say no using Azure to run DDOS attacks or host illegal material, they now say no weak passwords.

Most accounts aren't cracked by password guessing, most are pwned by malware and keyloggers. You do know that, don't you?

Wrong. Most accounts are cracked because the user used the same password somewhere else that was compromised and subsequently cracked. Then it's password resets because their email address was compromised. Keyloggers are way, way down the list.

Much more hassle to deploy and operate, much easier to just grab the user database from some site and crack all the weak passwords in it, which will be re-used with the same email address everywhere.

Re:If

[AK+Marc]

That's simply not true. If 50% of passwords are "password", and you ban "password" you will not have 50% of passwords be replaced with the same password. Banning the most common password will result in more diverse and unique passwords.

Re:If

Coming to a security update! Your password is no longer valid. New password must contain 15 symbols and 8 uppercase and 7 lowercase letters, where no more than 5 uppercase and 4 lowercase may be in a row, and you also may not have upper and lowercase alternate through the password.

Or upgrade to Windows 10*.

*:--(until the update hits windows 10 next month)

Re:If

[budgenator]

Don't worry, Windows 10 has an option to use a strong secure 4 digit PIN number instead of a weak 8 alpha-numeric characters consisting of upper, lower case letters, numbers and at least one special character! Microsoft has saved us from the horrors of passwords like P@$$W0rd and Qwerty1! and has lead us to the Brave New World, we hail our new overlords of 1234 and 7777! We'll all be saved by Samsonite's random number generator.

Re:If

[Curunir_wolf]

This only affects Microsoft Accounts and Azure AD, not local Windows accounts.

In Windows 10, for many people your Microsoft Account IS your local Windows account (it's the default). It's much easier for Microsoft to control your computer that way.

Re: If

[budgenator]

Yea, how about the fact that most sites still haven't figured out what makes a password 'strong'. They seem to think an 8 character password with special characters is stronger than a 32 character password without.

Seems like a no-brainer,
66 alphanumeric and special characters, 66^8 = 3.6004060627e+14;
46 alphabetic characters, 46^32 = 1.61529040681e+53

Re:If

[budgenator]

Because the list is dynamic, then as a password gets banned for a while, it'll drop off the list because new common passwords will replace it; UID poiuyt, password Qwerty1! might become acceptable again one day!

Re: If

[Nocturna81]

Just leaving this here: https://xkcd.com/936/

The more password rules you make...

[Ecuador]

While not allowing "common" passwords is not the worse idea, in general the more password rules you make, the worse passwords you'll get. In the end people end up writing them on post-it notes...
Doesn't Microsoft own Skype? Cause I was trying to make a Skype account a couple of years ago and tried first concatenating three weird Greek words transliterated to latin. I don't remember which words exactly, in any case, the password was rejected as too weak. Yeah, try cracking something like "poliefkoloskodikos" (aka "veryeasypassword"). It rejected a couple of others as well (it did not give you a specific reason - perhaps it would if I was on a desktop) and in the fourth try accepted something as simple as "river1". How is this kind of policy helped by banning e.g. "password1", that is not the problem.
Oh, my "favorite" password rules are the ones that reduce the search space for potential hackers.
For example, I have one bank account that requires the password to start with a number. I have network security camera that doesn't accept over 8 characters and the list goes on...

Re:The more password rules you make...

[Lehk228]

you were running into the basic "must have letters/numbers/caps filter

Re:The more password rules you make...

[Zarhan]

In the end people end up writing them on post-it notes...

I'm not so sure this is a bad thing. Post-it notes still require physical access to the post-it-note. Which is pretty hard for a random bruteforcer to access over the Internet.

Re:The more password rules you make...

[houghi]

The issue with passwords is that we need so many of them.
IT people only look at the one access you get and make that safe to enter. They basically have a technical solution (login and password) for a social problem (people getting access to things they should not have) and that will not work out well.

So what do IT people look ate? The technical side. What they forget or see as a burden is the human side. They are not interested that I now have not only manyplaces I need to login. In many places I also am unable to select my own login.

At one place I worked I had 17 different logins from different types of access and several keys to type in a code as well. You bet I wrote shit down.

To me all to often the reason for passwords is so that the IT department can say: well, WE did our best, so you can't blame us so sue or fire somebody else. And not look at a real solution.

And no, I am not able to have a password keeper program as on most systems I am not allowed to install anything and I am not always on the same location, nor do all have access to the Inetrtubes.

LOLWUT

[ArchieBunker]

This is a first. Someone on Slashdot making an argument for weak passwords.

Re:LOLWUT

[bloodhawk]

No it is someone with an Anti-MS agenda that doesn't care his argument is idiotic, as long as it goes against what MS is doing.

What could possibly go wrong...

[green1]

"Microsoft has implemented a feature called smart password lockout, meant to add an extra level of protection when an account is attacked"
I've already fallen victim to this one. I had an @live.com email address that I used for things that were guaranteed to spam me. Things that needed a one time authentication and such. Unfortunately I made a typo once while trying to access the account. One typo, on one attempt. I've now been permanently locked out of the account.
They said they just need to verify that it's me, but there's no possible way to do so. They say I can give them a phone number to verify it, but they don't have my phone number on file in the first place. The next option was their account recovery tool, but it requires you tell them who you have sent mail to from the account, as I've only ever received mail in this account, and never sent anything out, I can't do that. I submitted the form anyway, but they tell me that they can't verify that I'm me so they won't unlock the account.

Mostly I can just create another throw away account, but unfortunately another service took this opportunity to try to "re-verify" me by sending an email to this now locked out account, and because I can't get that email, I'm also locked out of the other service.

Of course I should have known better, what idiot uses Microsoft for ANYTHING????

Re:What could possibly go wrong...

[subanark]

Great sob story, bro. There are ways to set up recovery, you weren't really impacted by getting locked out, and you didn't state how it could have been better.

PS: There are lots of "throw away" email services that are just for doing what you want to do.

Re:What could possibly go wrong...

[Deathlizard]

Microsoft (or Google for that matter, just not as bad) doesn't play games with their account credentials anymore. You have to have an out of network way to verify your account or you're going to lose it. Either through a Phone number or another Email address, and dammit make sure its up to date.

Also the two factor app that MS has for android is one of the best I've used when it comes to ease of use and how it's implemented. it's pretty much make sure the code on the PC matches the code in the authentication window and click approve on the phone if it does. No typing verification numbers like most authenticators. so it's a good idea to use that too since it will let you in if all else fails.

This account protection of course makes it a pain with windows 8 or 10 users that use MS accounts for credentials. Half of the time they use stupid pins for their passwords and forget their real password, and MS doesn't like that sort of thing to adjust account settings. Especially if you got to refresh the PC. Just about once a week I have a conversation that goes something like

(Me) Whats your password for your PC?
(grandma) It's 1111
(Me) No that's your pin. I need the password
(grandma) but it lets me in the computer so that's my password
(Me) (Three minute explanation of the difference between a pin and a password)
(grandma) oh... well, I don't know it cause my grandson set it up. (or its in my password book buried at my desk) can you reset it?

Then you find out that their recovery creds were an old Email and phone number from a DSL/Phone provider they no longer have and have to go through the account verify process of shame that the Parent post went through, which never seems to work until you submit it 3 or more times regardless of how much info you put in the thing.

Re:Use password strength as the criterion

[Drishmung]

That is essentially what they are doing. But, added to the simple rule based strength measure is a set of current rainbow tables. If they are throwing out the other silly rules, like mixed case, numerals etc and just looking at objectively weak passwords (a password in a rainbow table is objectively weak) then this sounds great.

Re:Rogue pathc to circumvent this in.....

This will be instantly patched around with either a registry edit or a binary rogue patch available for download.

This is a Microsoft Account / Azure Active Directory, not a local Windows machine user account. Since they're cloud-based services, a local patch won't work.

Password not accepted

[CanadianMacFan]

Your new password is not accepted. Please install Windows 10 and try a new password.

Come on, already

[hcs_$reboot]

Microsoft bans your favorite passwords, microsoft forces you to update to v 10 even though you said "fuck off", MS does this, MS does that. For chrissake, use something else, another OS!

Re:Eastern Europe

[subanark]

This doesn't solve much. You just force the armature hackers to use proxies, which makes it more difficult to do forensic analysis. At the same time you prevent that 1/1000 person who is traveling to Russia and needs to access their account. Sounds like a lose-lose situation to me.

They should know!

[gavron]

Microsoft leads the world in insecure software, so on the 20th anniversary of Windows 95 it's good they're working to help.

On the other hand any time you decrease keyspace by creating arbitrary rules ("Must contain this", "must contain that")
you constrain an otherwise limitless keyspace and make it easier to guess.

I want to wish them well... because it appears they are well-intentioned. Sadly, they are still incompetent.

Want to make stronger passwords? Don't REQUIRE people to use specific parts of the keyspace.
Want to make stronger systems? Don't make your Win95/Win98/WinME/Win2K/WinXP/Vista/7/10 compatible with DOS so people can pwn your users.

Great!

[allo]

"Your password is weak, because 3 Million Users are already using it"

Cool, i found a common one! Lets try to use it on billgates@hotmail.com! Gotcha!

A whole new way to update your wordlists.