Microsoft has been detailing how it’s attempting to keep passwords safe from crackers, following the recent news that 117 million LinkedIn credentials may have been breached.
Alex Weinert, group program manager of the Azure AD Identity Protection team, explained that the system dynamically bans commonly used passwords.
“When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyze the passwords that are being used most commonly,” he continued.
“Bad guys use this data to inform their attacks – whether building a rainbow table or trying to brute force accounts by trying popular passwords against them. What *we* do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won’t work.”
Analyzing over 10 million attacked accounts each day, Microsoft continually updates this banned password list.
The feature is live in the Microsoft Account Service and will be rolled out to Azure Active Directory tenants over the next few months.
As Weinert explained, breaches like LinkedIn not only given hackers a list of emails they can use to log-in to victims’ accounts, but provide valuable information which can be used to deduce which are the most popular password combinations – making cracking attempts easier.
In fact, Weinert warned that admins should halt bad practice such as password length requirements, complexity requirements and forcing users to regular replace passwords – as they all make passwords easier to crack.
In a new paper on the subject, Redmond advises admins to eliminate the above, and educate users not to reuse corporate credentials outside of work, as well as enforcing multi-factor authentication.
Microsoft’s move to dynamically ban weak passwords was welcomed by industry experts.
Since Microsoft thinks they can defend this move with their users, hopefully it leads to organizations' security folks getting the ammo they need to win these fights internally,” argued Jonathan Sander, VP of product strategy at Lieberman Software.
“Security pros have known for years that moves like this are a good idea - especially when coupled with multi-factor authentication as Microsoft has it. This could raise the security bar for everyone."
However, Miracl CEO, Brian Spector, added that passwords are still fundamentally broken.
“We should activate 2-factor-authentication wherever possible and demand strong authentication options,” he said. “Service providers should move beyond the password and contribute to the restoration of trust on the internet by removing the password from their systems all together.”