Microsoft bans passwords from breach lists
Passwords seen on breach lists are now forbidden for Microsoft users.
On the heels of a breach last week that exposed passwords of 117 million LinkedIn users, Microsoft has put in place new password security for users of its Azure Active Directory, according to The Register.
Users are now being prevented from choosing a password that has repeatedly appeared on breach lists or been used too many times in suspicious login attempts.
“What we do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won't work”, stated Alex Weinart, group program manager of the Azure AD Identity Protection team.
The point, he explained, citing a paper by another team member, is to make users alter the manner in which they think about password policies. Password length requirements, password “complexity” requirements and regular, periodic password expiration no longer are adequate and, in fact, make cracking passwords easier for miscreants, he said.
But others say there are better authentication strategies. “When companies like Microsoft ban certain passwords or ask the consumer to create stronger passwords they are essentially shifting the burden on the consumer because they have no better idea on what to do with the password issue," said Brian Spector, CEO of MIRACL, in a comment emailed to SCMagazine.com. "There are better alternatives to eliminate the need for username and password convention."
Organizations must realize that they are in the best position to strengthen internet security and have the responsibility to do so, Spector said. "As an industry, we should remove the need for consumers to provide any sort of identifiable information as a means of authentication and by doing so we can eliminate the most common points of failure."