[BreachExchange] Microsoft Bans Simple Passwords That Appear in Breach Lists

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 27 14:29:19 EDT 2016


http://news.softpedia.com/news/microsoft-bans-simple-passwords-that-appear-in-breach-lists-504459.shtml

Following the huge debacle related to the LinkedIn data breach that came to
light last week, Microsoft's Identity Protection team has decided to ban
the usage of common or simple passwords that may be easy to guess or have
already appeared in breach lists.

Microsoft says it has already activated this feature for regular Microsoft
Account users and is holding a limited private preview for Microsoft Azure
Active Directory services.

Microsoft maintains "a dynamically updated banned password list"

"The most important thing to keep in mind when selecting a password is to
choose one that is unique, and therefore hard to guess," Alex Weinert,
Group Program Manager of Azure AD Identity Protection team, has explained
today. "We help you do this in the Microsoft Account and Azure AD system by
dynamically banning commonly used passwords."

Weinert notes that Microsoft works similarly to black hat hackers. When
details about data breach become public, and the data from the incident
makes its way on the Internet, the company's employees actively seek it out
and add it to their database.

This data is processed and added to a dynamically updated banned password
list, which the company uses to block users from choosing common passwords
found in many data breach dumps.

Microsoft also uses data from brute-force attacks on its service

Further, the company also uses common passwords it sees on its servers,
employed in brute-force attacks. At the start of the month, Microsoft
revealed that it saw over ten million cyber-attacks per day on its
Microsoft Account and Azure Active Directory identity systems. These
attacks provide the company with a huge sample size to get an idea of the
most used passwords employed in password-guessing brute-force attacks.

Microsoft Account, formerly known as Windows Live ID, is a username and
password-based identity system deployed for regular Microsoft users,
serving services such as Bing, Outlook.com, OneDrive, Windows Phone, Skype,
Xbox LIVE, Windows 8.1, Windows 10, and many others.

On the other hand, Azure Active Directory (AAD) is an identity service for
managing user logins for corporate entities.

Massive LinkedIn data breach triggered this Microsoft policy change

Breach lists are the data dumped online by hackers, which often contains
password information, sometimes in cleartext or encrypted with weak
algorithms such as SHA1.

One of the biggest data breaches that took place is the one that affected
LinkedIn. The incident happened in 2012, and at the time, LinkedIn said it
affected only 6.5 million clients. Last week, a hacker surfaced online
selling 167 million records from the 2012 breach.

>From that batch, 117 million user records contained weak-encrypted
passwords, which a company has already cracked a large part of in less than
24 hours after the news surfaced.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160527/79244b65/attachment.html>


More information about the BreachExchange mailing list