back to article Microsoft bans common passwords that appear in breach lists

With LinkedIn providing yet more fodder for attackers' rainbow tables and login bots, Microsoft has decided to start blocking too-common passwords. As a result, Azure Active Directory's 10 million or so users will no longer be able to select a password that's appeared too many times on breach lists, or commonly appears in …

  1. Anonymous Coward
    Anonymous Coward

    Rubbish, making passwords change frequently is fine, I can write it down in Notepad, or I can use a cycling pattern of keys, or I can use a password wallet if I want to put all those lovely little eggies into one basket.

    It's been best practice forever, why evolve now, that would just mean all those security folk who based their opinions on 'expertise' rather than empirical research would have to admit they were wrong. And that isn't going to happen..

    1. Destroy All Monsters Silver badge
      Holmes

      Periodic password expiration is the love child of the devil and the large hierarchical organization beset by the Dilbert principle.

      > It's been best practice forever

      Welcome PHB! Yes, I remember the IBM 3270 too.

      1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      @codysydney: Because, Dear Commentard.

      At 50, my memory is not what it used to be. Constantly changing passwords, updating my little black book is a bloody pain.

      At 50 I have visited Sooooo many internet forums / sites, I have passwords scattered across the observable universe.

      At 50, there should, by now, be a decent, accepted method of security other than passwords. Biometrics is not that!

      At 50, web sites should accept a standard of passwords, not some mish mash dictated by a spotty 17 year old HTML coder who has no effing idea how us older ones think.

      Internet security, for the main part, is crap....

      Expect things to get worse when IoT hits home.

      1. allthecoolshortnamesweretaken

        Re: @codysydney: Because, Dear Commentard.

        At almost 50 I'd like to weigh in here: biometrics may be easy, but as long as I haven't got the ability to grow back fingers or eyeballs or whatever at will, biometrics are right out.

        1. VinceH

          Re: @codysydney: Because, Dear Commentard.

          "At almost 50 I'd like to weigh in here: biometrics may be easy, but as long as I haven't got the ability to grow back fingers or eyeballs or whatever at will, biometrics are right out."

          At not-quite-almost-50-but-not-far-off I know the difference between identification and authentication. Biometrics are no good for authentication - and can be a bit iffy sometimes for identification.

          1. Chika

            Re: @codysydney: Because, Dear Commentard.

            At over 50 I realise that there is only one way to keep anything totally secure from hacking on the net. That's to make sure that anything that you need to make secure never goes anywhere near it.

            I've seen security become something of a booming business. When I compare systems like RSTS/E V7.0 which stored its account passwords in plain text in a known account to what we currently have, things are certainly a lot more secure but one thing that is painfully obvious is that any security is subject to human frailty. So many suggested ways of dealing have their obvious down sides, mostly PEBCAK. Biometrics are no different in this matter for all sorts of reasons, and increasing use could lead to...

            Well, https://www.youtube.com/watch?v=iOpH6E7T6I0 comes to mind.

      2. Pirate Dave Silver badge
        Pirate

        Re: @codysydney: Because, Dear Commentard.

        @cornz 1 - Agreed. I'm 47, and I have to say I'm SICK of sites that were obviously written by a 20-year-old and ask "secret" questions that relate to childhood. How the fuck am I supposed to remember my first pet's name, or who my favorite 3rd grade teacher was, or what flavor the cake was at my 10th-birthday party? All that stuff is now shrouded in the mists of time, so I make up some answer that I KNOW I will forget if I need it in a year or two. So a big THANK YOU to all the PFY web designers out there, you're really showing your age (or lack of it).

        1. NotBob

          Re: @codysydney: Because, Dear Commentard.

          I'm not that seasoned yet, but I put my made up answers in the little black book with the passwords.

          It's the only way to keep track...

        2. Anonymous Coward
          Anonymous Coward

          Re: @PirateDave @codysydney: Because, Dear Commentard.

          TBH I'm also 47 but as I'm nearer to 50 then I am 45, I'm not splitting hairs...

        3. Updraft102

          Re: @codysydney: Because, Dear Commentard.

          I'm nearing 45, and I remember my third grade teacher's name (not sure about favorite-- I only had one), my first pet's name, but not the birthday cake one.

          I don't like those not because I've forgotten, but because it is possible for people who are not me to know the answers.

        4. Anonymous Coward
          Anonymous Coward

          Re: @codysydney: Because, Dear Commentard.

          Thought I had out smarted all those stupid Q's with one answer to all of them until I ran into a site that required different answers for each Q?. Sucks. To be honest when trying to send out resumes, unemployed mind you and I would come across one of those sites I simply moved on it got so frustrating....

      3. NoneSuch Silver badge
        Big Brother

        Re: @codysydney: Because, Dear Commentard.

        "Internet security, for the main part, is crap...."

        Yes sir, because the NSA / GCHQ wants it to be that way.

      4. bombastic bob Silver badge

        Re: @codysydney: Because, Dear Commentard.

        this guy over 50 uses 'keepass' to try to manage the password chaos... then I only have to really remember ONE password (what the hell was it, anyway...)

        (it wasn't the one in that XKCD comic, either)

        1. VinceH

          Re: @codysydney: Because, Dear Commentard.

          Ah, so it's incorrecthorsebatterystaple. Cunning.

      5. Updraft102

        Re: @codysydney: Because, Dear Commentard.

        It's basically impossible to implement the best practices with passwords without electronic assistance. We're supposed to use long passwords that don't spell anything, that are not in repeatable patterns like "qwerty," that contain upper and lowercase letters, numbers, and symbols, and are unique per site. No one short of a savant could possibly remember hundreds of strings of gobbledygook and also which sites with which each is matched.

        Remembering one strong master password is a lot easier.

        I use a password generator to automatically create strong passwords , which are then remembered by Firefox's password manager when I log in. If I change the password, the manager asks if I wish to update the login in the store, so changes are relatively painless. It's encrypted on the disk, so the password store is as secure as the master password. It's not perfect, but there's really no better way that I can think of. It's better than using an easily-guessed password or the same one on every site, or keeping it written down on a post-it or in plain-text in a file somewhere.

    3. Robert Carnegie Silver badge

      Your password must be changed monthly.

      So I have set it to ChangedMonthly-May-2016. in a few days I will set it to ChangedMonthly-June-2016.

      Not really. But what -is- the point of that compulsory change anyway? My best guess is it's so that everybody that I myself told my old password to can no longer use it. Unless they understand my system. And perhaps they now use it for their own... why don't I ask them.

  2. Destroy All Monsters Silver badge
    Windows

    One of my beefs with Microsoft "Exchange Online" things.

    You basically can only set mandatory password strength between "anything goes" and "what PHB thinks a password should look like (minus the fart sounds)". You can't access the password database to try a rainbow attack for example, or even add code to perform your own acceptance criteria. I suspect at least 30% of our user database have passwords in the TR0UB4DOUR range. Such a featutre would mean there might be additional exploitable holes of course, so it cuts both ways.

    1. NorthernCoder

      Re: One of my beefs with Microsoft "Exchange Online" things.

      " the TR0UB4DOUR range"

      I think I know what you mean, but could you explain that expression? I feel like there is a joke I am missing out on.

      1. toughluck

        Re: One of my beefs with Microsoft "Exchange Online" things.

        Here you go: https://xkcd.com/936/

        1. Version 1.0 Silver badge

          Re: One of my beefs with Microsoft "Exchange Online" things.

          I suspect that correct horsebatterystaple is in the banned list by now.

          1. Anonymous Coward
            Anonymous Coward

            Re: One of my beefs with Microsoft "Exchange Online" things.

            "I suspect that correct horsebatterystaple is in the banned list by now."

            Buggers. Guess I'll have to think up something new if I ever have to change my Office365 password. :(

  3. mythicalduck
    FAIL

    Microsoft what?

    The Microsoft post reiterates that the old beliefs about passwords are already obsolete: password length requirements, password “complexity” requirements, and periodic password expiration all need to be jettisoned because they make passwords less secure

    This coming from a company who's limited my password DOWN to 16 characters?! I don't even know how they did that if all they stored was a salted hash, but it used to be 20, so I always have to remember to backspace the last four when I try and log in.

    1. John Robson Silver badge
      Joke

      Re: Microsoft what?

      "remember to backspace the last four when I try and log in."

      So now it's a 24 key password - more secure, see....

      1. Anonymous Coward
        Anonymous Coward

        Re: Microsoft what?

        PayPal limits it to 20. Which you don't find out until you try and log in again. So you swear horribly, guess that they've just truncated it without telling you and knock off one character at a time until you hit the password limiter. Then, while you're waiting for the limiter to decide you're a solid citizen again, you do what you should have done in the first place and look up the character limit on the net. Happened to...ahem...someone I know.

    2. Roland6 Silver badge

      Re: Microsoft what?

      The Microsoft post reiterates that the old beliefs about passwords are already obsolete

      Whilst MS's policy decision is probably a good first step, it is however, already obsolete!

      What is being overlooked is the volume of information that is now out there. Whilst people are focused on the 'password' we should perhaps step back and ask what else is being taken? usernames, email addresses, security question responses, etc.

      From the various articles over the years, it would seem that if you know where to look, you will be able to pick up a password list containing email addreses/usernames and passwords. In todays world of 'big' data these datasets aren't particularly big, but are getting sufficiently numerous to be worth mining on a per username/email address. Thus whilst MS's approach is a good first step in that it implements some generic/global password checks, what is actually needed is a much finer grained approach where the checks extend firstly to the passwords that have been frequently found to be paired with a specific email address and secondly to the additional security questions. Perhaps this is something that can be added into password safes, given they have access to (legally obtained) plain text credentials and so can statistically determine firstly whether someone's reuse of the same password has reached a critical point and secondly whether a particular password/credential set has been compromised and so which other credential sets the user should be looking to change.

      [Aside: I am wary of recommending using a random password generator, as recent revelations have shown that these may contain vulnerabilities that facilitate the guessing and hence cracking of generated passwords.

  4. Michael H.F. Wilkinson Silver badge

    Simples

    L1anfairpw11gwyngy11g0gerychwyrndr0bw1111antysili0g0g0g0ch

    Alternatively use:

    "The Spanish Inquisition!!"

    Because nobody expects the Spanish Inquisition!!

    1. Swarthy

      Re: Simples

      Ah, so Welsh passwords.. not a bad beginning.

    2. Chika

      Re: Simples

      tH3%C0mf1*ch41R?

  5. Anonymous Coward
    Anonymous Coward

    Damn!

    There goes the use of "microsoftisshit" as a password then...

    1. This post has been deleted by its author

  6. Anonymous Coward
    Mushroom

    Only one soluion...

    Go two factor already. It's the only way to know for sure...

    1. John Robson Silver badge

      Re: Only one soluion...

      threeandsix?

      They are two factors of eighteen after all...

  7. Doctor Syntax Silver badge

    Meanwhile...

    ...if I mistype either the username or password on Hotlivelook Microsoft helpfully tells me which was wrong. And they still can't filter out spam pretending to come from themselves.

  8. Triggerfish

    Throwaway password

    I have throwaway passwords for things like forums that are relatively easy tend to be rmemorable because they work on simple rules see a couple of examples and you could guess the rules. But I for example am not going to be too upset if someone hacks my reg account, or the forum that covers some hobbies.

    The hard passwords are for things like banking which I have to actually remember and tend to be unique.

  9. bombastic bob Silver badge
    Joke

    the movies give us the answer

    doesn't anyone remember the movie 'Hackers'? You know, the most common passwords:

    love, sex, money, secret, and of course, god.

    just ban those and we're fine.

    and, of course, this:

    https://xkcd.com/936/

  10. david 12 Silver badge

    Password length

    It's not clear from the references that password length requirments are uniquivically bad.

    Complexity requirements are bad in general, hiding the password as typed is bad.

    And very short passwords will of course fail the uniquness tests.

    But it's not clear to me that you don't get a benefit from requiring a password to be 10 characters or more.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like