TechSpot

Microsoft bans stupid passwords in wake of LinkedIn leak

By midian182
May 26, 2016
Post New Reply
  1. Microsoft has reacted to last week’s LinkedIn leak that saw the details of over 167 million users appear online. In an attempt to improve security, the Redmond company is banning the use of easy (I.e. stupid) passwords.

    The LinkedIn breach showed that the site's most commonly used passwords were the ingenious “Linkedin,” and the ever-popular “123456.” In response, Microsoft is creating a list of weak passwords and banning their use from the Microsoft Account and Azure AD (Active Directory) system.

    Microsoft’s list will be dynamically updated with entries based on data from new attacks. So if a recent leak shows people are starting to use new dumb passwords, they’ll be added to the rest of those that are banned.

    "When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyse the passwords that are being used most commonly,” wrote Alex Weinert, Group Program Manager of the Azure AD Identity Protection team.

    "Bad guys use this data to inform their attacks – whether building a rainbow table or trying to brute force accounts by trying popular passwords against them. What we do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won't work."

    The company has already rolled the feature out to Microsoft Account Service, which covers the likes of Outlook, Office, Skype, Xbox, etc. It’s in private preview in Azure AD, and will roll out fully across the coming months.

    While it’s safe to assume that the overwhelming majority of readers won’t notice the change, as they know not to use terrible passwords, Microsoft’s new feature should drastically reduce the number of incidences where people think the word “password” makes a good password.

    Permalink to story.

     
  2. DAOWAce

    DAOWAce TS Booster Posts: 249   +30

    Wonderful. Microsoft doing something right for once.
     
  3. Uncle Al

    Uncle Al TS Evangelist Posts: 1,660   +767

    It will be interesting to see what tests the limits of "stupid" in regards to Microsoft. Now, if they could also ban "stupid" decisions by their managers and staff, THAT would be an accomplishment!!!!
     
    DaveBG, wiyosaya, wastedkill and 2 others like this.
  4. p51d007

    p51d007 TS Evangelist Posts: 908   +384

    You can't fix stupid. I still see many business level desktops, splattered with post-it notes with passwords.
    I work on office equipment and you'd be surprised on multifunction printers, how many still use 123456 as the admin password, and, have the pin code to access the machine on a post it note. Heck, I know one hospital, to me this would be a HIPPA violation, has the pin code for SECURE PRINTING, written with a sharpie pen, on the side of the display!
     
    wiyosaya likes this.
  5. Agnomen

    Agnomen TS Enthusiast

    Honestly I wish more companies would restrict use of stupid and blatantly insecure passwords. Banks in particular. I know many of them require a capital or a number, but Password1 is still not what I would call secure..
     
  6. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 8,549   +2,894

    Seriously why does this matter? Weak passwords only effect (that is if ever) the consumer using them.
     
  7. Kibaruk

    Kibaruk TechSpot Paladin Posts: 2,506   +498

    You never hear "stupid user gets his life hacked", you hear (or read) "unsecure system gets hacked".
     
    Darth Shiv likes this.
  8. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 8,549   +2,894

    The stupidity of the consumer should only concern the stupid consumer. Again I ask why does this matter?
     
  9. Chesterfried

    Chesterfried TS Rookie Posts: 17

    You know those stupid consumers are going to be harassing Microsoft when their accounts are hijacked, this helps limit their account administration costs, while also protecting their stupid customers. Win win.
     
    Darth Shiv likes this.
  10. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,620   +376

    For an online system, there should be a failed password attempt rate limit and a temp lockout policy. Always! And notifications if password attempts fail. The system should also monitor widespread failed password attempts across the system.

    Systems that don't limit the number of failures in a given period for online services are well behind best practices and the service and not the consumer rightly should be flamed for it. It's just basic due diligence.

    There is the old strategy of statistical account hacking. If 1% of all passwords are "Password" and you know the format of user accounts (e.g. an 8 digit number), you only need to guess 100 account numbers to statistically break into 1. Having strong passwords required will mostly solve that.

    Basically, for getting your customers into good habits, it makes sense to require stronger passwords. For both online and offline access.
     
    wiyosaya likes this.
  11. tonylukac

    tonylukac TS Evangelist Posts: 1,309   +56

    Up till now, I was unable to get my windows live password changed because the servers were down and it never called you back or whatever it was supposed to do in the 10 step process necessary to change the password. Stupid is what microsoft is. Now try to change it. How do I explain to the archaic brains of my mother or some customer communicating remotely after they wrote it down that there's a list of some passwords that some ignoramis at microsoft decided was stupid? I say let me have ANY password of even 1 letter length because I'm the boss of my password. I never had passwords breached. All you do is encourage people to never change the password. When they breach them, they break into the server and list them so it really doesn't matter if you had a hundred letter password.
     
  12. OgnDulk

    OgnDulk TS Enthusiast Posts: 26   +6

    Now I know why I got an email to change my linkedin password.
     
    DaveBG and Darth Shiv like this.
  13. wiyosaya

    wiyosaya TS Evangelist Posts: 1,035   +268

    Got that right. And there are so many sites that only allow a 10-character password. WTF??
     
  14. wiyosaya

    wiyosaya TS Evangelist Posts: 1,035   +268

    Well, they cannot list them if they are encrypted on the server. If they are not, shame on the web site. So did LinkedIn have a non-encrypted password file? If so, they ought to fire the entire staff that is responsible for maintaining their servers.
     
  15. tonylukac

    tonylukac TS Evangelist Posts: 1,309   +56

    It doesn't matter if it's encrypted because you can take the encrypted password and search google with it and find the real one if it's a common word, more than are covered by a stupid list. To avoid that, it could be salted, but some aren't. They almost have a good idea, but not quite.
     
  16. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,620   +376

    Yes good passwords, good salts are part of doing it right. 10 character limits are just lazy and not future proof.

    Would you secure your social with a 8 character password if that's secure today but not tomorrow? I don't think that's particularly wise.
     
  17. wiyosaya

    wiyosaya TS Evangelist Posts: 1,035   +268

    I absolutely agree about stupid passwords, but any site that does not encrypt their passwords is asking for trouble even if the password is not stupid.
     
    cliffordcooley likes this.
  18. URUKHAI

    URUKHAI TS Rookie

    For one, the "stupid" consumer may also compromise their school or workplace in the same way, especially if they use the same password(s). In this case, their workplace gets compromised too. It giving the proverbial keys to the castle away when a simple, deterrent would be using a more secure password.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...