Microsoft recently announced that it would begin banning weak passwords for a variety of its services and also introduced a feature called Smart Password Lockout to prevent attackers from guessing passwords. How is Microsoft banning these weak passwords, and how does the Smart Password Lockout work? Will these things benefit enterprises or just complicate matters?
Stealing passwords is big business in the world of cybercrime. One Russian hacker known as the Collector has recently been offering more than 250 million stolen usernames and passwords for Mail.ru, Yahoo Mail, Gmail, Hotmail and other accounts. Another hacker nicknamed Peace is advertising for sale a database of 167 million emails and hashed passwords belonging to LinkedIn users. As many people use the same username and password for multiple sites, their credentials can potentially provide easy access to social media accounts, online banking services and enterprise networks and resources. According to Microsoft's Security Intelligence Report Volume 20, it detects more than 10 million credential attacks every day across its various identity systems.
When these big password lists come on to the market they are analyzed both by cybercriminals and security teams, such as Microsoft's Azure Active Directory Identity Protection team -- everyone is looking to see which passwords are the most common. Microsoft is using this information to dynamically update its banned list of common and similar weak passwords. Now, before a user's proposed password is accepted for her Microsoft Account or in Azure AD, it's compared against this list to ensure it's not present. If it is on the list, the user is prompted to choose a password that's harder for other people to guess. By preventing users from choosing common and easy to guess weak passwords, it will reduce the chances of their passwords being cracked by a rainbow table or dictionary-based, brute force attack.
On top of this feature, Microsoft is also introducing Smart Password Lockout to reduce the disruption caused by hackers trying to guess an account password online and triggering an account lockdown. When Microsoft's security system detects someone trying to guess a password online, it will only lock out that specific login session. This means when the genuine user tries to log in, the account is not locked, and as long as she enters the correct username and password, she can access her account. This will save huge amounts of time and frustration given the millions of attacks that occur each day. The only time a genuine user will be locked out is if someone is judged to be trying to guess her password while using the user's own machine or network.
Although many policies and online services try to enforce strong passwords by requiring users to choose a password with a minimum length and complexity, Microsoft has found that this forces people to standardize their passwords in order to remember them, making it easier for hackers to crack them. Preventing users from choosing common weak passwords will certainly improve the effectiveness of many password policies by ensuring passwords are more unique, and therefore harder to guess. Although these security features will certainly help improve password security, some users may struggle to remember harder passwords.
As bad passwords are a major weakness in endpoint security, enterprises should be moving to multifactor authentication (MFA), particularly when users need to access sensitive resources or information. MFA makes it a lot harder for a hacker to use stolen credentials to gain access to endpoint devices and the rest of the network. The presence of high quality cameras, microphones and fingerprint readers in many of today's devices means it's never been easier to implement. The FIDO specification supports a wide range of authentication technologies, including biometrics, USB security tokens and smart cards that can be deployed without extensive programming. Hopefully these technologies will help end the role of the password as the primary authentication factor.
Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Pick from the top multifactor authentication products
Find out how to protect your organization from bad passwords
Learn how to avoid data breaches with better passwords