Cyber Security News

Microsoft bans common passwords from Account Services and Azure AD

June 06, 2016

Microsoft bans common passwords from Account Services and Azure AD

Microsoft will no longer allow “common” passwords in Account Services (e.g. personal accounts used for Xbox Live, Hotmail, MSN, etc) and Azure AD. They say hacks such as LinkedIn’s 117M usernames/passwords have provided cybercriminals with too many popular passwords which are used in brute force attacks. So now, Microsoft will deny new passwords that appear on its dynamically-updated “banned password list”, which draws from known data breaches.

 

Microsoft points out that the common approach to forcing users to pick a good password (complexity, length and forced expiration) can actually make passwords LESS secure. Why? Because people act in very predictable ways when faced with these requirements. Here is Microsoft’s latest guidance for IT administrators:

 

  1. Maintain an 8-character minimum length requirement (and longer is not necessarily better).
  2. Eliminate character-composition requirements.
  3. Eliminate mandatory periodic password resets for user accounts.
  4. Ban common passwords, to keep the most vulnerable passwords out of your system.
  5. Educate your users not to re-use their password for non-work-related purposes.
  6. Enforce registration for multi-factor authentication.
  7. Enable risk based multi-factor authentication challenges.

Share this news story

View More Cyber Security News


Page last modified June 6, 2016
Report a problem with this page