If you’re using the Microsoft Account service to sign into the various services offered by the company, and you tried to set up a too commonly used password, you have already witnessed Microsoft’s dynamical banning of common passwords in action.
Now, that same approach is in the private preview phase for Azure Active Directory users and, over the next few months, all of the 10m+ Azure AD tenants will benefit from it.
Which are the common passwords?
Alex Weinert, Group Program Manager of Azure AD Identity Protection team, explained how they decide which passwords are too common.
They’ve created an automated system that is fed lists of usernames and passwords that have been stolen from other companies and organizations, and leaked online or offered for sale; and a list of usernames and passwords compiled from the over 10 million daily credential attacks their identity systems are hit with (a list that is constantly updated).
Based on that, the system identifies the too often repeated, easily guessable passwords, and choosing such a password – or a too similar one – becomes impossible.
“When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyze the passwords that are being used most commonly,” Weinert noted. “Bad guys use this data to inform their attacks – whether building a rainbow table or trying to brute force accounts by trying popular passwords against them. What *we* do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won’t work.”
Additional security choices
Interestingly enough, when Microsoft asks users to choose a password, the only requirement is that it’s 8 characters long or more.
They chose not to set a longer length requirement or a password complexity requirement, and they advise IT administrators not to force mandatory periodic password resets for user accounts. Why? Because people react in predictable ways when confronted with similar sets of restraints.
Through previous research, Microsoft has discovered that:
- Longer password requirements usually result in people repeating patterns (e.g. passwordpassword), opting for writing their passwords down and reusing them
- Password complexity requirements result in passwords that use similar patterns (e.g. capital letter in the first position, a symbol in the last, and a number in the last two), which makes them easier to discover through dictionary attacks.
- Mandatory periodic password resets result in users choosing passwords closely related to the previous ones (i.e. they “update” an older one), which results in easily guessable passwords.
More recommendations for password management for both users and admins are provided in this whitepaper, as well as advice on how to choose a good (strong and unique) password, and other good practices for keeping accounts safe.