If you want to use a Microsoft service and try to create an account, the company will not allow you to use a frequently encountered security code.
The same approach applies to the preview phase for Azure Active Directory users and will be released to other Microsoft services over the coming months.
What are common passwords?
Alex Weinert, Group Program Manager of Azure AD Identity Protection, explained he decided which passwords are too common.
His team created an automated system fed by lists of usernames and passwords stolen from other companies and organizations, leaked online or offered for sale, and a list of usernames and passwords recorded in over 10 millions attacks (brute force) that are made daily on the company's systems (it is a list that is constantly updated).
With base these data, the system recognizes which passwords are repeated most often, and blocks the selection of such passwords.
Additional security options
Interestingly, when Microsoft asks users to choose a password, it makes it with a unique requirement to have from 8 characters and up.
The company chose not to ask for larger codes or enriched with symbol characters to add complexity, and advises IT administrators not to force users to periodically reset their account passwords.
Why
Because users according to the company react in a predictable way when confronted with similar constraints.
From a previous one research, Microsoft discovered that:
- In additional and mandatory password requirements, customers typically use repeating patterns (eg passwordpassword), choosing to write their passwords twice.
- Complexity requirements in passwords lead to identical ones models passwords that use e.g. a first capital letter, a symbol in the last, and a number in the last two, which makes them vulnerable to brute-force attacks.
- The obligatory temporary reset of passwords results in the selection of previous passwords, ie the passwords are "updated" to older ones.
More recommendations for managing passwords for users and administrators are provided in the following White Paper. You'll also find tips on how to choose a good (strong and unique) password, and other practices to keep your data safe.
Microsoft Password Guidance (PDF)