Microsoft May Ban Your Favorite Password (securityweek.com) 232
wiredmikey writes from a report via SecurityWeek.Com: Microsoft is taking a step to better protect users by banning the use of weak and commonly-used passwords across its services. Microsoft has announced that it is dynamically banning common passwords from Microsoft Account and Azure Active Directory (AD) system. In addition to banning commonly used passwords to improve user account safety, Microsoft has implemented a feature called smart password lockout, meant to add an extra level of protection when an account is attacked. [Alex Weinert, Group Program Manager of Azure AD Identity Protection team explains in a blog post that] Microsoft is seeing more than 10 million accounts being attacked each day, and that this data is used to dynamically update the list of banned passwords. This list is then used to prevent people from choosing a common or similar password. Microsoft's new feature comes after last week's leak of 117 million LinkedIn credentials.
If (Score:5, Insightful)
Re:If (Score:5, Funny)
If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?
Absolutely! In no time flat this Microsoft problem should fix itself.
Re: (Score:3, Insightful)
Haha, that was funneh!
On point however, how many people don't care about how secure their passwords for Windows systems are? I have systems I could care less about, because they are either fully blocked by a FW or air-gapped. I don't trust Windows at all, so use a weak password when it fits me.
MS - attempting to chase all remaining customers away I guess.
Re:If (Score:4, Informative)
This only affects Microsoft Accounts and Azure AD, not local Windows accounts.
Re: (Score:3)
Lot's of Microsoft online stuff ties into Azure AD, like Office 365 for example. And, I sync my office local AD directory to Azure AD for our O365 so I'm kind of curious how this will effect synced AD databases.
Re:If (Score:4, Insightful)
This only affects Microsoft Accounts and Azure AD, not local Windows accounts.
So far.
Re: (Score:2, Insightful)
Coming to a security update! Your password is no longer valid. New password must contain 15 symbols and 8 uppercase and 7 lowercase letters, where no more than 5 uppercase and 4 lowercase may be in a row, and you also may not have upper and lowercase alternate through the password.
Or upgrade to Windows 10*.
*:--(until the update hits windows 10 next month)
Re: (Score:2)
Re: (Score:2, Insightful)
Typical Slashdot, this bullshit gets modded Informative.
Yeah - shoulda been modded insightful. I hate to use why not examples, but I'll dv8 from that here.
What would be the rationale to not implement this in all Windows systems? They already have a keylogger, they already phone home to a multiplicity of locations that they don't allow you to host out, and they already thought it was a good idea to allow anyone that you allow on your home wireless to allow anyone in their social network to wirelessly log on to your router, even though you have no idea who they
Re: (Score:2)
What would be the rationale to not implement this in all Windows systems?
For the same reason they allow you to have a blank password in Windows but not for Microsoft accounts.
Re: (Score:2)
What would be the rationale to not implement this in all Windows systems?
For the same reason they allow you to have a blank password in Windows but not for Microsoft accounts.
Try again - explain why they won't do this, not why they are doing something that they might allow at the present time.
Re: (Score:3)
This only affects Microsoft Accounts and Azure AD, not local Windows accounts.
In Windows 10, for many people your Microsoft Account IS your local Windows account (it's the default). It's much easier for Microsoft to control your computer that way.
Re: (Score:3, Interesting)
Obviously Microsoft knows what's best for us, regardless of what we want.
Maybe I *want* to use a weak password, what business is it of theirs to tell me I can't? If they want to warn me that I have a weak password, fine. But to prevent me from using it? That's just bullshit.
Microsoft is continually tightening it's grip on its customers freedom to do what they want, so I guess this really shouldn't come as a surprise.
Re:If (Score:5, Insightful)
lol. The MS hate is so strong on slashdot that people hate even moves that SHOULD make nerds happy.
What's wrong with you all ? We constantly talk about how weak passwords are stupid.
Pull your head out of your zealot ass.
Re: (Score:2)
Re: (Score:2)
Dang it, why can't I use Windows to chop onions?! MS always telling me what I CAN'T do with their system! Jerks!
There are already tons of systems where I cannot use a particular password because it doesn't meet complexity requirements... why is this different than that?
Re: (Score:2)
There are nerds on /. who are not programmers, you know.
Re:If (Score:5, Insightful)
I don't want your account with a weak password to get pwned and send me spam or phishing emails.
Re:If (Score:5, Informative)
I don't want your account with a weak password to get pwned and send me spam or phishing emails.
Neither do I, but does that mean that MS should be able to force me to use one that they consider "strong"?
Most accounts aren't cracked by password guessing, most are pwned by malware and keyloggers. You do know that, don't you?
Re: (Score:2)
Best way around it is 2-factor auth. Hell my bank didn't allow me to have passwords longer then 6 characters up until a year or two ago(it's now 13 characters) and it's one of the largest in Canada.
Re: (Score:2)
"...but does that mean that MS should be able to force me to use one that they consider "strong"?"
Yes, of course it does, and your use of "they consider" demonstrates your bias here. Password strength is an objective measure.
"... You do know that, don't you?"
Don't pretend to be in possession of the facts here after your previous comments.
Re: (Score:3)
Neither do I, but does that mean that MS should be able to force me to use one that they consider "strong"?
Yes, if you want to use their service. Just like the TOS say no using Azure to run DDOS attacks or host illegal material, they now say no weak passwords.
Most accounts aren't cracked by password guessing, most are pwned by malware and keyloggers. You do know that, don't you?
Wrong. Most accounts are cracked because the user used the same password somewhere else that was compromised and subsequently cracked. Then it's password resets because their email address was compromised. Keyloggers are way, way down the list.
Much more hassle to deploy and operate, much easier to just grab the user database from some site and crack all the
Re: (Score:2)
Yes, if you want to use their service.
Oh, so now running Windows at home on my own PC is a "service"?
There's another reason to move to Linux.
Re: (Score:2)
Have you looked at Windows 10? It's a service, you own nothing. That's one reason why I'm not running it.
Re:If (Score:5, Funny)
Don't worry, Windows 10 has an option to use a strong secure 4 digit PIN number instead of a weak 8 alpha-numeric characters consisting of upper, lower case letters, numbers and at least one special character! Microsoft has saved us from the horrors of passwords like P@$$W0rd and Qwerty1! and has lead us to the Brave New World, we hail our new overlords of 1234 and 7777! We'll all be saved by Samsonite's random number generator.
Re: (Score:3, Insightful)
Re: (Score:2)
123456? Damn. That's 20% better than my password.
Re: (Score:2)
You only think you haven't been hacked.
I'll give you a hint. "Hell0Kitty" is not a good enough password.
Re: (Score:2)
A decade or two ago my Boss bought the domain poiuyt.com It was absolutely amazing how many times a website's registration confirmation Emails came to poiuyt.com's default account with the password qwerty. I got access to a lot of porn that other people paid for too.
Re:If (Score:4, Insightful)
Oh come on, this isn't a bad thing. If Ubuntu refused to let you use 123456 as a root password, everyone on Slashdot would say "of course". If Microsoft does it, they're idiot facists who don't understand anything. Slashdot is sometimes just an embarrassment.
This comment should not have been modded down. Slashdotters don't even try to pretend anymore that they don't just react as if everything MS does is wrong by default, even when they compromise their own principals in the process. Hell, just a couple of days ago people were modded up for saying MS shouldn't Open Source VB. . Uh huh.
Re: (Score:2)
Everything should be Open Sourced*.
* except Microsoft products for reasons that weren't important until this came up.
LOLWUT (Score:5, Insightful)
This is a first. Someone on Slashdot making an argument for weak passwords.
Re: (Score:3, Insightful)
Re: (Score:2)
Not every account needs a strong password. Sure, if it's your primary windows account then lock it down somewhat. Otherwise you imagine the worst thing that can happen and if it's not too bad you don't stress over it. Sure there's panic that any windows account can cause the end of the world if they're able to send random email, but that can happen from the attacker's computer or a million other anonymous mail sites, big deal. Who needs a super strong password for their guest account?
Re: (Score:2)
No we just know Microsoft, they'll go from crazy-stupid easy and insecure to crazy-stupid hard, so hard nobody will do it and will use an even more insecure work-around. Then when everybody get hacked Microsoft will blame the insecure work-around and not the insanity that drove people to it.
Re:If (Score:5, Insightful)
Obviously Microsoft knows what's best for us, regardless of what we want.
In this case, literally yes, they do.
Maybe I *want* to use a weak password
And maybe you want to jump into the swimming pool wearing full platemail armour but the lifeguard doesn't have to let you, and in fact should not let you.
what business is it of theirs to tell me I can't?
It's literally their business.
Re:If (Score:4, Interesting)
You can honestly not think of any reason why a strong password is not always required? I can think of reasons why jumping into a pool while wearing full platemail might be necessary (it's scene 23 in my movie script). I don't even have a password on my home computer, but then again no one breaking in remotely is going to be blocked by a Windows login screen either. They can break in locally of course but if that happens I have more serious matters to deal with than that they'll be able to look at some photos before wiping the drive and reselling it.
Re: (Score:2)
You vastly over estimate the skill of the average computer thief. If you set a Windows password, they will try "password" and "letmein" and then give up and wipe it. They won't load up a cracking tool and some rainbow tables, or take the HDD out and manually access your files. They are dumb enough to go around stealing computers, do you really expect them to have those skills?
While you might think that a password is not required for your particular contrived application, security works best in layers. In th
Re: (Score:3)
Yea, how about the fact that most sites still haven't figured out what makes a password 'strong'. They seem to think an 8 character password with special characters is stronger than a 32 character password without.
Seems like a no-brainer,
66 alphanumeric and special characters, 66^8 = 3.6004060627e+14;
46 alphabetic characters, 46^32 = 1.61529040681e+53
Re: (Score:2)
Re: (Score:3)
Depends, is it your personal account that isn't related to any organization? Then the least of risk is your account being used for spam. That's your best case scenario.
Quite often personal email accounts are tied as the password recovery to access secondary systems like banking passwords? Would you like your forgotten bank account password reset and a new one emailed to you? If you're lazy enough to use a common password chances are you reused that same password on other systems you have access to.
If it's y
Re: (Score:2)
Re: (Score:2)
Then, when you get hacked, you'll take to the Internets to whine about how MS allowed you to have an insecure password that made you get hacked.
Wrong, but thanks for playing.
Re:If (Score:4, Interesting)
If you ban common passwords. Then you end up with a new set of common passwords.
Is there any evidence that the above assertion is true?
Re:If (Score:4, Informative)
If you ban common passwords. Then you end up with a new set of common passwords.
Is there any evidence that the above assertion is true?
No. The system is dynamic. It does not use a fixed set of "common passwords", but instead adds passwords that are used in cracking attempts. If a cracker thinks it is common enough to try, then it likely is not a good password to use. Over time, the list will grow, but it is unlikely we will run out of possible passwords. If the passwords are 32 bytes long, and each can hold 100 different values, then that is 10^64 possible passwords, which is roughly ten billion times the number of atoms in the sun.
Re: (Score:2)
no they don't. passwords are checked on entry for strength, they are only stored as one0way salted hashes.
;^) M'kay
Re: (Score:2)
If you ban common passwords. Then you end up with a new set of common passwords.
Is there any evidence that the above assertion is true?
Hackers will probably figure out which passwords not to try.
Re: (Score:2)
Re: If (Score:2)
Re: (Score:3)
If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?
I vote for recording a Fletcher-32 and CRC32 checksum of every password that a user creates, and if 3 or more accounts in the entire system attempt to create a password that has the same Fletcher-32 and CRC32 checksum, Then (1) The password will be rejected and banned, And (2) The other accounts with the same F32 and CRC32 will be locked into a state where they will be forced to change password
Re: (Score:2)
Re: (Score:2)
Oh, come on, ye of little imagination. Make a policy which requires 2 or more password changes a day (32 character minimum length), forcefully logs users out of their computers randomly and swaps mouse button functions around without warning.
How's that for more user-unfriendly?
Re: (Score:2)
Re: (Score:2)
What's even better is that your big database of CRC32 hashed passwords will be an absolute treasure trove for the hackers that download your data.
The point of using CRC32, or actually, 64-bit would probably be better, is that there are many different combinations which will hash to the same password.
The reason to use a hash that is not salted and has many collisions is to allow easy comparison of a candidate password against a blacklist; without making the hash itself capable of being used to crack t
Re: (Score:3)
If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?
Tht keylogger in Windows 10 is going to be a big help. What a great company.
Re: (Score:3)
If you ban common passwords. Then you end up with a new set of common passwords. Going to ban those too?
It doesn't follow. Common passwords are based on words in common use or things like calendar dates. If you disallow those, then it's reasonable to expect that the passwords will have a lot more variety.
Re: (Score:3)
Because the list is dynamic, then as a password gets banned for a while, it'll drop off the list because new common passwords will replace it; UID poiuyt, password Qwerty1! might become acceptable again one day!
Re: (Score:2)
Well - if they allow "old" common passwords back in after a while then you're right, but if you retain the list of previously common passwords and continue to disallow those (which is probably more sensible) then you don't get that situation.
Re: (Score:3)
Usernames ? Passwords ? (Score:2)
After banning common usernames, now they ban passwords....
https://support.microsoft.com/... [microsoft.com]
The more password rules you make... (Score:5, Informative)
While not allowing "common" passwords is not the worse idea, in general the more password rules you make, the worse passwords you'll get. In the end people end up writing them on post-it notes...
Doesn't Microsoft own Skype? Cause I was trying to make a Skype account a couple of years ago and tried first concatenating three weird Greek words transliterated to latin. I don't remember which words exactly, in any case, the password was rejected as too weak. Yeah, try cracking something like "poliefkoloskodikos" (aka "veryeasypassword"). It rejected a couple of others as well (it did not give you a specific reason - perhaps it would if I was on a desktop) and in the fourth try accepted something as simple as "river1". How is this kind of policy helped by banning e.g. "password1", that is not the problem.
Oh, my "favorite" password rules are the ones that reduce the search space for potential hackers.
For example, I have one bank account that requires the password to start with a number. I have network security camera that doesn't accept over 8 characters and the list goes on...
Re: (Score:3)
Re:The more password rules you make... (Score:5, Insightful)
In the end people end up writing them on post-it notes...
I'm not so sure this is a bad thing. Post-it notes still require physical access to the post-it-note. Which is pretty hard for a random bruteforcer to access over the Internet.
Re: (Score:2)
I feel your pain. I think it is so dumb how systems limit the length of a password to some arbitrary size. Is it really that much harder to store a 32 character password than it is to store an 8 character password? Come on.
I use a password manager in lieu of the post-it but I do find it very aggravating that sites won't even let me use a randomly generated long password.
Re: (Score:2)
While not allowing "common" passwords is not the worse idea, in general the more password rules you make, the worse passwords you'll get. In the end people end up writing them on post-it notes...
Not if you are smart about it. Yes, if you just add rules, this is what will happen. Been there, given speeches about it. But if you adopt a few good rules, you can actually improve password security a lot.
And not allowing 123456 as a password is such an obvious step, I wonder it took so long. Don't they hire anyone with a brain at Mickeysoft?
Re: (Score:3)
Microsoft Account = PC (Score:2, Interesting)
With Microsoft doing their best to get people to use Microsoft Accounts on their Windows installs, that means people will soon be required to get approval from Redmond for the password they use to get into their own in PC in their own home.
Re: (Score:2)
Or maybe it could refer to all of their online accounts such as Hot Mail, Xbox accounts, etc.
Re: (Score:2)
Or maybe it could refer to all of their online accounts such as Hot Mail, Xbox accounts, etc.
A Microsoft Account is a login for Hotmail and XBox, and your PC, too if you didn't dig for the Local Account option during setup. That's the point. [microsoft.com]
Re: (Score:2)
So many things at work are just completely cock-blocked without using a Microsoft account to login. While I was laid-off they hired a consultant to do the "upgrade" and provide management services, all of the hardware from this supposed "Authorised Dell Reseller" wasn't and everything was set up in the most obtuse, arcane and fragile manner possible to insure that he would be the only one the could install hardware or administer the system for billable hours. We ended up paying twice for Win Server 2008 and
Use password strength as the criterion (Score:2)
No ever-lengthening lists of bad passwords and no infernal fiddly rules about specific numbers of capitals and numbers and symbols, but a simple threshold of overall password strength according to one of the widely-accepted metering systems. Such a filter would automatically accept the random strings created by password manager applications, which would lead to more people using such programs to create good passwords.
Re: (Score:3)
What could possibly go wrong... (Score:5, Informative)
"Microsoft has implemented a feature called smart password lockout, meant to add an extra level of protection when an account is attacked"
I've already fallen victim to this one. I had an @live.com email address that I used for things that were guaranteed to spam me. Things that needed a one time authentication and such. Unfortunately I made a typo once while trying to access the account. One typo, on one attempt. I've now been permanently locked out of the account.
They said they just need to verify that it's me, but there's no possible way to do so. They say I can give them a phone number to verify it, but they don't have my phone number on file in the first place. The next option was their account recovery tool, but it requires you tell them who you have sent mail to from the account, as I've only ever received mail in this account, and never sent anything out, I can't do that. I submitted the form anyway, but they tell me that they can't verify that I'm me so they won't unlock the account.
Mostly I can just create another throw away account, but unfortunately another service took this opportunity to try to "re-verify" me by sending an email to this now locked out account, and because I can't get that email, I'm also locked out of the other service.
Of course I should have known better, what idiot uses Microsoft for ANYTHING????
Re: (Score:2)
Of course I should have known better, what idiot uses Microsoft for ANYTHING????
90% of the user base
Re: (Score:3)
Great sob story, bro. There are ways to set up recovery, you weren't really impacted by getting locked out, and you didn't state how it could have been better.
PS: There are lots of "throw away" email services that are just for doing what you want to do.
Re: (Score:2)
Ok, I'll state clearly how it could be better.
Don't lock your users out when they make ONE typo!!! I've never seen any other service anywhere, ever, that doesn't allow at the very minimum 3 password attempts.
Re: (Score:2)
I could go further too,
If you offer a recovery option, let users recover with the information that's on file. If they didn't give much info, then it's going to be less secure, but that's the user's choice.
I could give them my full name, date of birth, city, year that I created the account, and oh yeah, MY PASSWORD! Not to mention I could have told them who I had received mail from, just not who I sent it to (because I hadn't sent any email!)
None of that was good enough.
Re: (Score:2)
Ok, I'll state clearly how it could be better. Don't lock your users out when they make ONE typo!!! I've never seen any other service anywhere, ever, that doesn't allow at the very minimum 3 password attempts.
No point in arguing with them - nothing is ever Microsoft's fault by decree.
Re: (Score:2)
Great sob story, bro. There are ways to set up recovery, you weren't really impacted by getting locked out, and you didn't state how it could have been better.
PS: There are lots of "throw away" email services that are just for doing what you want to do.
And there are services that don't have stupid always your fault - never Microsoft's problems.
Re: (Score:2)
Re:What could possibly go wrong... (Score:4, Informative)
Microsoft (or Google for that matter, just not as bad) doesn't play games with their account credentials anymore. You have to have an out of network way to verify your account or you're going to lose it. Either through a Phone number or another Email address, and dammit make sure its up to date.
Also the two factor app that MS has for android is one of the best I've used when it comes to ease of use and how it's implemented. it's pretty much make sure the code on the PC matches the code in the authentication window and click approve on the phone if it does. No typing verification numbers like most authenticators. so it's a good idea to use that too since it will let you in if all else fails.
This account protection of course makes it a pain with windows 8 or 10 users that use MS accounts for credentials. Half of the time they use stupid pins for their passwords and forget their real password, and MS doesn't like that sort of thing to adjust account settings. Especially if you got to refresh the PC. Just about once a week I have a conversation that goes something like
(Me) Whats your password for your PC?
(grandma) It's 1111
(Me) No that's your pin. I need the password
(grandma) but it lets me in the computer so that's my password
(Me) (Three minute explanation of the difference between a pin and a password)
(grandma) oh... well, I don't know it cause my grandson set it up. (or its in my password book buried at my desk) can you reset it?
Then you find out that their recovery creds were an old Email and phone number from a DSL/Phone provider they no longer have and have to go through the account verify process of shame that the Parent post went through, which never seems to work until you submit it 3 or more times regardless of how much info you put in the thing.
Re: (Score:2)
Re: (Score:2)
Yes I give every random website on the internet my phone number... why not?
Re: (Score:2)
they don't have my phone number on file in the first place.
this is your failure, not theirs
Fortunately, he can move to systems where he doesn't do that stupid shit.
THat's always the problem with Microsoft, a lot of people have a lot of problems, but it's never never Microsoft's fault. Meh.
Password not accepted (Score:4, Funny)
Your new password is not accepted. Please install Windows 10 and try a new password.
This affects their bottom line (Score:2)
This rule is for Azure. Since Microsoft needs to maintain a reasonable reputation for their customer service being flexible, they will often refund fraudulent use of their service which costs them money.
PS: Don't try to argue that Microsoft doesn't have reasonable customer service, I can name many other companies with horrible CS, and many sob stories from companies like Amazon who are rated as having excellent CS.
Splainzit (Score:2)
I was wondering why "fuckmicrosoft1" stopped working.
123456 (Score:2)
That's fine, Microsoft.
But what about my luggage?
Don't see this turning out too good for Microsoft (Score:2)
I understand why Microsoft is doing this, but I just don't see this ending well for them. I would set temp passwords for new hires to things like $$Znxa1543 and they would almost murder me. The users would complain, the managers would complain, everyone would just complain that the passwords were too hard. For some reason some users just can't remember anything more complex than something like "May-2016" or some such like that. All Microsoft is going to do is force these people to set passwords they will ne
Re: (Score:2)
Wait until their installed software require those unremembered and unretrivable accounts to confirm their licences and they have to buy new software.
Come on, already (Score:3)
Re: (Score:2)
Password security is system agnostic. It isn't just Microsoft. I applaud their efforts here, but they are just that. Nothing ground-breaking.
Here's an idea... teach people how to create better passwords! Don't just restrict them to X number of characters or say you have to use capitals and numbers.
I remember some fairly secure passwords from 20 years ago. We had an intern who left, and he gave me his unix password in case I needed it.
It was CIrpotb, It was the first letter from each word in the lyric
Eastern Europe (Score:2)
If Microsoft really was interested in my account security they would ban any account access from Eastern Europe. I have no plans to ever travel to Eastern Europe while logs show that almost all the hacking attempts to my accounts are coming from Eastern Europe.
If Netflix can do it, why can't Microsoft and LinkedIn?
Re: (Score:3)
This doesn't solve much. You just force the armature hackers to use proxies, which makes it more difficult to do forensic analysis. At the same time you prevent that 1/1000 person who is traveling to Russia and needs to access their account. Sounds like a lose-lose situation to me.
I'll just use crypt() (Score:2)
I'll take the crypt() output of my favorite password and use that instead. papAq5PwY/QQM
They should know! (Score:3)
Microsoft leads the world in insecure software, so on the 20th anniversary of Windows 95 it's good they're working to help.
On the other hand any time you decrease keyspace by creating arbitrary rules ("Must contain this", "must contain that")
you constrain an otherwise limitless keyspace and make it easier to guess.
I want to wish them well... because it appears they are well-intentioned. Sadly, they are still incompetent.
Want to make stronger passwords? Don't REQUIRE people to use specific parts of the keyspace.
Want to make stronger systems? Don't make your Win95/Win98/WinME/Win2K/WinXP/Vista/7/10 compatible with DOS so people can pwn your users.
Great! (Score:4, Insightful)
"Your password is weak, because 3 Million Users are already using it"
Cool, i found a common one! Lets try to use it on billgates@hotmail.com! Gotcha!
A whole new way to update your wordlists.
Oh rats (Score:2)
10^4 (Score:2)
Microsoft is taking a step to better protect users by banning the use of weak and commonly-used passwords across its services.
Please enter your 4 digit pin in order to login to your computer, you know, where all your personal information is stored?
Re: (Score:2, Informative)
This will be instantly patched around with either a registry edit or a binary rogue patch available for download.
This is a Microsoft Account / Azure Active Directory, not a local Windows machine user account. Since they're cloud-based services, a local patch won't work.