As stolen passwords and account information continue to flood the Internet, making life easier for lazy attackers, Microsoft is planning to roll out a new service on its Azure cloud platform that will prevent customers from using common passwords.
The change is not just a requirement that users employ long or artificially complex passwords, but rather a system that will dynamically ban passwords that are commonly used. Microsoft has been using the system on some of its platforms for a while now, including Xbox, OneDrive, and others. The system is based on a constantly updated list of banned passwords that are either too common or too close to commonly used passwords.
The change at Microsoft comes at a time when data breaches are a daily occurrence and lists of stolen passwords from those incidents are a dime a dozen. Or less. The latest dump was a cache of 117 million credentials purported to come from a 2012 breach at LinkedIn.
“On May 17, 2016, we became aware that data stolen from LinkedIn in 2012 was being made available online. This was not a new security breach or hack. We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since that breach,” an email LinkedIn sent to customers yesterday says.
Microsoft officials said the company always looks at lists of common passwords to see which ones are being used most often, and are therefore the most vulnerable.
“When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyze the passwords that are being used most commonly. Bad guys use this data to inform their attacks – whether building a rainbow table or trying to brute force accounts by trying popular passwords against them. What *we* do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won’t work,” Alex Weinert, group program manager of Azure AD Identity Protection at Microsoft, said.
Weinert said that Microsoft sees roughly 10 million accounts attacked on its systems every day, and uses information from those attacks to update its list of banned passwords.
“We then use that list to prevent you from selecting a commonly used password or one that is similar. This service is already live in the Microsoft Account Service and in private preview in Azure AD. Over the next few months we will roll it out across all 10m+ Azure AD tenants,” Weinert said.
The password-banning system is currently in private preview and will be rolled out to all Azure AD customers later this year.