Not logged in » Login
May 28 2016

Microsoft Plans to Eliminate Bad Passwords


Following on the heels of last week's reports about LinkedIn passwords weak enough to make you blush, security staff at Redmond have moved quickly to protect their own services – including OneDrive, Azure AD and of course Xbox Live – against a similarly catastrophic failure.

Security admins know that by far the most password policies suffer from a common and embarrassing weakness: they remain unenforceable even if the rules are of utmost precision and their necessity should go undisputed, because there's always a small group of colleagues (or superiors) who simply can't be bothered to follow even the simplest, most integer advice. As a result, many admins sooner or later give up the fight and proceed to simplify password requirements, thereby making them easier to crack. This might not be too bad if password crackers only existed as a mere theoretical concept; however, statistics from security firms have shown time and again that pretty much every user falls victim to a successful password attack and its aftereffects at least once in her or his online life. Even so, the sheer number and persistence of password issues suggests that the learning curve remains relatively flat – even users who lost money in the wake of such incidents tend to stick with short and easy-to-remember (and therefore easy-to-guess) alphanumeric sequences, either because they want to or because they must.

To avoid such complications, Microsoft – often blasted for security flaws in its products and services – now follows a surprisingly radical approach. Starting immediately, Redmond will automatically block the choice of weak passwords or ones that look too similar. As Alex Weinert, Microsoft's Group Program Manager of Azure AD Identity Protection team, explained in a blog post on TechNet, both new and existing users are prompted to adhere to certain minimum standards ("8-character minimum, case sensitive") and/or pick more elaborate number-letter combinations or face the danger of losing access to files and documents, emails etc. they have stored somewhere in Microsoft's cloud. (The picture at the top shows what the prompt will look like when you try to sign into your Outlook or OneDrive account.) The same feature is currently in "private preview" on Azure Active Directory, Microsoft's ID management and authentication service for corporate cloud users. Ars Technica's Security Editor has tested the dynamic ban and notes that although it's definitely an improvement, it's still too easy to circumvent – as it stands, the term "Pa$$w0rd1" did not provoke the well-deserved prompts.

In his blog post, Weinert also introduced "Smart Password Lockout," another protection mechanism that could cause greater irritation despite the underlying good intentions. In essence, it prevents criminals from signing into 'their' accounts with invalid credentials and limits the number of possible attempts in a way similar to iOS. The problem is that quite logically this will also happen if the legitimate account owner makes a mistake – and is then invited to decrypt a captcha before proceeding. Given the popularity of the often unintelligible captchas among Internet users, this may not be a particularly wise choice.

Meanwhile, Robyn Hicock – a member of Microsoft's Identity Protection Team – has written a white paper on the latest best practices to achieve password security that we've attached below.



Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now