Microsoft is dynamically banning common passwords and using smart password lockout to protect users and passwords in the Microsoft Account System and private preview Azure AD.
Dynamically banning common passwords helps users choose a unique and hard to guess password. The Azure AD Identity Protection team keeps updating the list of common password continuously to prevent users from choosing known easy passwords - such as Password.
Smart password lockout is another method Microsoft is using to make sure users are not locked out if bad guys are trying to guess passwords online. This approach considers the risk associated with a specific login session to apply lockout semantic. Microsoft says it can can determine the risk associated with a specific login session using data on where the person is logging in and what network they are using, and so can lock out suspected intruders, but allow legitmate users to login if they are using their own device on an internet network they have used before.
This move by Microsoft has been seen by some as a response to recent data breaches such as that at LinkedIn where credentials from a 2012 breach saw 272.3 million stolen accounts traded on a Russian darknet. Troy Hunt, creator of the cyber-breach service Have I Been Pwned? commented in a blog post by threatpost, “The danger for LinkedIn users is that while most of the four-year-old LinkedIn data is garbage, there are tens of millions of email addresses out of the 117 million tied to passwords that will still unlock accounts elsewhere on the web today.”
This concern is reinforced by the recent discovery of a password reuse bot with the ability to test leaked credentials on the dark web targeting multiple websites. The credential testing runs on poorly protected sites and then successful hits are taken to highly secured sites in the hope that the same passwords can be used over and over.
Brian Spector, CEO of Miracl, wrote to SCMagazineUK.com, “Although it is great that Microsoft is trying to increase security and awareness in this way .... complex passwords are inconvenient, which is why people are failing to adopt them.”
“Consumers tell us that they are struggling to remember what is now an average of over 100 passwords in Europe. At a time when the number of devices we own is rising sharply, this frustration has relegated the registration process to being the most broken thing about the internet,” Richard Lack, director of sales - EMEA, Gigya, commented in an email to SC.
Whilst Jonathan Sander, VP of product strategy at Lieberman Software, considers Microsoft's move excellent and hopes the fruits of this effort become open to all, he has an interesting comment on the timing of the announcement. “I imagine that Microsoft is only instituting its banned password list now because there is enough political capital to do it with so many breaches and stolen passwords in the news,” he said.
On the other hand, some researchers question the password infrastructure. “Microsoft's move doesn't fix the underlying problem that passwords just aren't secure enough to protect the personal information that we all store and access online today,” Spector said.
Dave Worrall, CTO of Secure Cloudlink in a comment sent to SC argues, “It's therefore time to completely rethink the entire password-driven security system. Passwords have quickly transitioned into an indefensible means of user authentication because of their basic security vulnerabilities”. He added: “Now is the time to look at solutions that eliminate the need for the password in the first place.”
“Within the next 10 years, traditional passwords will be dead as an authentication form. Consumer-focused brands require modern customer identity management infrastructures that support newer, more secure authentication methods, such as biometrics,” Patrick Salyer, CEO at Gigya, wrote to SC.