Microsoft has started implementing a password filter that prevents you from choosing a password that is too simple. Hoorah, mostly. After years of allowing you to pick ‘123456’ the Redmond Giant is now implementing some tough password love for online services such as Xbox Live and OneDrive Azure. If you have recently tried to set up a too commonly used password, you may have already witnessed Microsoft’s banning in action, which tells you:
“Choose a password that’s harder for people to guess.”
The new program is currently in the preview phase for Azure Active Directory and will be phased into all Azure AD tenants in the months to come.
Microsoft’s system is fed by lists of usernames and passwords that have been stolen from other companies and organizations and leaked online or offered for sale. Microsoft also is using the usernames and passwords compiled from the over 10 million daily credential attacks with which their identity systems are hit. That list that is constantly updated. When you go to choose, or change, your password, the system compares your password entry with the lists, or passwords similar to the ones in the lists, and then reminds you of your simplicity and forces you to choose again. Fortunately, for the password fatigued (and unfortunately for the security minded individual) choosing a password that is not on the big MS list is not too hard. Here are the minimum requirements:
- Passwords must have at least 8 characters and contain at least two of the following:
- Uppercase letters
- Lowercase letters
Which means that passwords such as “Pa$$word“, “Pa$$w0rd1!” and “123456h!” will fit the bill.
Microsoft chose not to set a longer length or complexity requirement, because their research found that people react in predictable ways when passwords get tougher. Their research shows:
- Longer password requirements usually result in people repeating patterns (e.g. passwordpassword), opting for writing their passwords down (oh, those sticky notes), or reusing them.
- Password complexity requirements result in passwords that use similar patterns (e.g. capital letter in the first position, a symbol in the last, and a number in the last two), which makes them easier to discover through dictionary attacks.
- Mandatory periodic password resets result in users choosing passwords closely related to the previous ones (i.e. they “update” an older one), which results in easily guessable passwords. Ex. “Pa$$word1!”, becomes “Pa$$word2!”, and then “Pa$$word3!”
Microsoft does recommend that company account administrators turn on risk-based multi-factor authentication and educate users, which we are all for, but some of their other advice to admins seems counterproductive and even counter to their own password requirements. From their password guidance paper:
Azure Active Directory and Active Directory allow you to support the recommendations in this paper:
- Maintain an 8-character minimum length requirement (and longer is not necessarily better).
- Eliminate character-composition requirements.
- Eliminate mandatory periodic password resets for user accounts.
- Ban common passwords, to keep the most vulnerable passwords out of your system.
- Educate your users not to re-use their password for non-work-related purposes.
- Enforce registration for multi-factor authentication.
- Enable risk based multi-factor authentication challenges.
Yet in that same paper they state their own “character-composition” requirements. Granted, Microsoft does have other security mechanisms in place, such as limiting the number of password attempts in a certain period, blocking IP addresses that try too many times, and enforcing two-factor authentication after too many failed attempts, so they can afford to recommend shorter passwords. To some extent. Additionally, since hackers now know what simple passwords will no longer work they will not even try those passwords and concentrate on guessing the harder ones from the get go. This just shifts the hackers’ starting point to begin cracking passwords at eight characters long.
For more info: