Microsoft bans stupid passwords in wake of LinkedIn leak

midian182

Posts: 9,632   +120
Staff member

Microsoft has reacted to last week’s LinkedIn leak that saw the details of over 167 million users appear online. In an attempt to improve security, the Redmond company is banning the use of easy (I.e. stupid) passwords.

The LinkedIn breach showed that the site's most commonly used passwords were the ingenious “Linkedin,” and the ever-popular “123456.” In response, Microsoft is creating a list of weak passwords and banning their use from the Microsoft Account and Azure AD (Active Directory) system.

Microsoft’s list will be dynamically updated with entries based on data from new attacks. So if a recent leak shows people are starting to use new dumb passwords, they’ll be added to the rest of those that are banned.

"When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyse the passwords that are being used most commonly,” wrote Alex Weinert, Group Program Manager of the Azure AD Identity Protection team.

"Bad guys use this data to inform their attacks – whether building a rainbow table or trying to brute force accounts by trying popular passwords against them. What we do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won't work."

The company has already rolled the feature out to Microsoft Account Service, which covers the likes of Outlook, Office, Skype, Xbox, etc. It’s in private preview in Azure AD, and will roll out fully across the coming months.

While it’s safe to assume that the overwhelming majority of readers won’t notice the change, as they know not to use terrible passwords, Microsoft’s new feature should drastically reduce the number of incidences where people think the word “password” makes a good password.

Permalink to story.

 
You can't fix stupid. I still see many business level desktops, splattered with post-it notes with passwords.
I work on office equipment and you'd be surprised on multifunction printers, how many still use 123456 as the admin password, and, have the pin code to access the machine on a post it note. Heck, I know one hospital, to me this would be a HIPPA violation, has the pin code for SECURE PRINTING, written with a sharpie pen, on the side of the display!
 
Honestly I wish more companies would restrict use of stupid and blatantly insecure passwords. Banks in particular. I know many of them require a capital or a number, but Password1 is still not what I would call secure..
 
Seriously why does this matter? Weak passwords only effect (that is if ever) the consumer using them.
You know those stupid consumers are going to be harassing Microsoft when their accounts are hijacked, this helps limit their account administration costs, while also protecting their stupid customers. Win win.
 
Seriously why does this matter? Weak passwords only effect (that is if ever) the consumer using them.
For an online system, there should be a failed password attempt rate limit and a temp lockout policy. Always! And notifications if password attempts fail. The system should also monitor widespread failed password attempts across the system.

Systems that don't limit the number of failures in a given period for online services are well behind best practices and the service and not the consumer rightly should be flamed for it. It's just basic due diligence.

There is the old strategy of statistical account hacking. If 1% of all passwords are "Password" and you know the format of user accounts (e.g. an 8 digit number), you only need to guess 100 account numbers to statistically break into 1. Having strong passwords required will mostly solve that.

Basically, for getting your customers into good habits, it makes sense to require stronger passwords. For both online and offline access.
 
Up till now, I was unable to get my windows live password changed because the servers were down and it never called you back or whatever it was supposed to do in the 10 step process necessary to change the password. Stupid is what microsoft is. Now try to change it. How do I explain to the archaic brains of my mother or some customer communicating remotely after they wrote it down that there's a list of some passwords that some ignoramis at microsoft decided was stupid? I say let me have ANY password of even 1 letter length because I'm the boss of my password. I never had passwords breached. All you do is encourage people to never change the password. When they breach them, they break into the server and list them so it really doesn't matter if you had a hundred letter password.
 
Honestly I wish more companies would restrict use of stupid and blatantly insecure passwords. Banks in particular. I know many of them require a capital or a number, but Password1 is still not what I would call secure..
Got that right. And there are so many sites that only allow a 10-character password. WTF??
 
Up till now, I was unable to get my windows live password changed because the servers were down and it never called you back or whatever it was supposed to do in the 10 step process necessary to change the password. Stupid is what microsoft is. Now try to change it. How do I explain to the archaic brains of my mother or some customer communicating remotely after they wrote it down that there's a list of some passwords that some ignoramis at microsoft decided was stupid? I say let me have ANY password of even 1 letter length because I'm the boss of my password. I never had passwords breached. All you do is encourage people to never change the password. When they breach them, they break into the server and list them so it really doesn't matter if you had a hundred letter password.
Well, they cannot list them if they are encrypted on the server. If they are not, shame on the web site. So did LinkedIn have a non-encrypted password file? If so, they ought to fire the entire staff that is responsible for maintaining their servers.
 
Well, they cannot list them if they are encrypted on the server. If they are not, shame on the web site. So did LinkedIn have a non-encrypted password file? If so, they ought to fire the entire staff that is responsible for maintaining their servers.
It doesn't matter if it's encrypted because you can take the encrypted password and search google with it and find the real one if it's a common word, more than are covered by a stupid list. To avoid that, it could be salted, but some aren't. They almost have a good idea, but not quite.
 
Yes good passwords, good salts are part of doing it right. 10 character limits are just lazy and not future proof.

Would you secure your social with a 8 character password if that's secure today but not tomorrow? I don't think that's particularly wise.
 
It doesn't matter if it's encrypted because you can take the encrypted password and search google with it and find the real one if it's a common word, more than are covered by a stupid list. To avoid that, it could be salted, but some aren't. They almost have a good idea, but not quite.
I absolutely agree about stupid passwords, but any site that does not encrypt their passwords is asking for trouble even if the password is not stupid.
 
The stupidity of the consumer should only concern the stupid consumer. Again I ask why does this matter?
For one, the "stupid" consumer may also compromise their school or workplace in the same way, especially if they use the same password(s). In this case, their workplace gets compromised too. It giving the proverbial keys to the castle away when a simple, deterrent would be using a more secure password.
 
Back