Weak passwords are one of the main reasons behind online accounts getting easily hacked and compromised. With services like LinkedIn, Dropbox and others having leaked millions of passwords in the previous years, Microsoft has decided to ban passwords that are too common and have appeared in the breach lists.
Say goodbye to password, 123456 and M!cr0$0ft
We have seen several reports showing how "password" and "123456" are two of the most used passwords online. Not only do breach lists carry these and a number of other commonly used passwords, but online services have often warned their users to be at least a little creative with their passwords. Since users aren't apparently listening to these repeated pleas, Microsoft is aiming to protect its lazy users by banning use of such weak passwords across its services.
We help you do this in the Microsoft Account and Azure AD system by dynamically banning commonly used passwords.
Earlier this month, we reported how a hacker was offering to sell over 167 million LinkedIn account credentials, including passwords of 117 million accounts, for only 5 bitcoin (or, $2,200). While the data was stolen in 2012 and many might have hopefully updated their LinkedIn passwords, users are in a habit of using similar passwords for multiple services - a big no. Thanks to these breach lists, cybercriminals can easily brute force accounts by trying the popular passwords. "123456" showed about 753,305 times in the recently leaked LinkedIn list and was followed by another common password "linkedin," which occurred 172,523 times. And this data is from only one breach.
When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyze the passwords that are being used most commonly. Bad guys use this data to inform their attacks – whether building a rainbow table or trying to brute force accounts by trying popular passwords against them. What *we* do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won’t work.
While services will keep getting hacked and passwords leaked, there is no reason you should use "123456" as a password in any of your accounts. As a result, Microsoft is now "dynamically banning common passwords from Microsoft Account and Azure AD system." This means that the company will analyze data breaches looking for most used passwords and prevent its users from having these as their passwords.
Microsoft is also implementing a smart password lockout feature which will add another layer of protection when an account is attacked. Smart password lockout will lock criminal out of an account when they attempt to guess the password, even when they do so from the owner's computer.
Microsoft has said that the company sees over 10 million accounts being attacked every day, which gives Redmond "a lot of data about which passwords are in play in those attacks." This data is then used to maintain a dynamically updated banned password list, which in turns prevents people from choosing a similar password. The feature is available in Microsoft Account Services and will roll out to Azure AD next month.