Microsoft has reacted to last week’s LinkedIn leak that saw the details of over 167 million users appear online. In an attempt to improve security, the Redmond company is banning the use of easy (i.e. stupid) passwords.
The LinkedIn breach showed that the site's most commonly used passwords were the ingenious “Linkedin,” and the ever-popular “123456.” In response, Microsoft is creating a list of weak passwords and banning their use from the Microsoft Account and Azure AD (Active Directory) system.
Microsoft’s list will be dynamically updated with entries based on data from new attacks. So if a recent leak shows people are starting to use new dumb passwords, they’ll be added to the rest of those that are banned.
"When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyse the passwords that are being used most commonly,” wrote Alex Weinert, Group Program Manager of the Azure AD Identity Protection team.
"Bad guys use this data to inform their attacks – whether building a rainbow table or trying to brute force accounts by trying popular passwords against them. What we do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won't work."
The company has already rolled the feature out to Microsoft Account Service, which covers the likes of Outlook, Office, Skype, Xbox, etc. It’s in private preview in Azure AD, and will roll out fully across the coming months.
While it’s safe to assume that the overwhelming majority of readers won’t notice the change, as they know not to use terrible passwords, Microsoft’s new feature should drastically reduce the number of incidences where people think the word “password” makes a good password.