Goodbye "123456," "password" and "qwerty": Microsoft has announced that it is going to ban weak and common passwords, a move that comes in the wake of a high-profile hack of user credentials at LinkedIn.
Microsoft said in a blog post this week that its Azure AD (its cloud based directory and identity management service) and Microsoft Account system had come up with the proposal to "dynamically ban commonly used passwords."
"The most important thing to keep in mind when selecting a password is to choose one that is unique, and therefore hard to guess. We help you do this in the Microsoft Account and Azure AD system by dynamically banning commonly used passwords," Alex Simons, director of program management at Microsoft's Identity Division said in the post.
"When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyze the passwords that are being used most commonly. Bad guys use this data to inform their attacks – whether building a rainbow table or trying to brute force accounts by trying popular passwords against them. What we do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won't work."
The announcement referenced the news earlier this month that hackers were trying to sell 117 million user emails and passwords used for LinkedIn. The news, originally reported by Motherboard, signaled that a 2012 data breach was larger than initially thought and the tendency for users to create simple and common passwords was also highlighted by security experts.
Microsoft said in a recent 2015 "Security Incident Report" that its account protection systems prevent more than 10 million accounts from being attacked daily, showing the extent of hacking activity.
From that data, Simons said in his blog post that the company has collected "a lot of data about which passwords are in play in those attacks" and that the company uses that data "to maintain a dynamically updated banned password list."
"We then use that list to prevent you from selecting a commonly used password or one that is similar," he said. The system was already at work in its account services – such as Outlook, OneDrive and Xbox, but would also be rolled out soon across the Azure AD system.
