Microsoft has decided to ban commonly used weak passwords entirely, so users can't pick an effort which is bereft of any real level of security or common sense, following the most recent major password spillage which hit LinkedIn.
You know the sort of passwords we mean – the ones which appear on the dumbest password lists that pop up frequently such as '123456' or the immortal 'password' – and these proved to be popular choices for hacked LinkedIn accounts despite their obvious glaring stupidity.
Hence Microsoft has now banned such common passwords from the Microsoft Account and Azure AD (Active Directory) system, so if there does happen to be a hack or spillage of some kind, your encrypted password is guaranteed not to be one of these trivially guessable affairs.
Alex Weinert, Group Program Manager of the Azure AD Identity Protection team, commented: "When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyse the passwords that are being used most commonly.
"Bad guys use this data to inform their attacks – whether building a rainbow table or trying to brute force accounts by trying popular passwords against them. What we do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won't work."
Millions of intrusions
Weinert's TechNet post (opens in new tab) further noted that Microsoft sees over 10 million accounts attacked every day, which provides a great deal of data about the passwords employed in these attempted intrusions, with that data being used to maintain a constantly updated list of blocked passwords.
This system of banned passwords is now already in play for Microsoft accounts, and is in private preview for Azure AD, with it fully rolling out to the latter over the next few months.
Of course, to further strengthen your password security it's a good idea to adopt two-factor authentication – across any account or online service that offers it – and Redmond notes that Azure AD admins should ensure that all users are properly configured for Azure multi-factor authentication.
Via: The Register
- Check out why we'd all rather use our bodies than passwords