Following the huge debacle related to the LinkedIn data breach that came to light last week, Microsoft’s Identity Protection team has decided to ban the usage of common or simple passwords that may be easy to guess or have already appeared in breach lists.
Microsoft says it has already activated this feature for regular Microsoft Account users and is holding a limited private preview for Microsoft Azure Active Directory services.
Microsoft maintains “a dynamically updated banned password list”
“The most important thing to keep in mind when selecting a password is to choose one that is unique, and therefore hard to guess,” Alex Weinert, Group Program Manager of Azure AD Identity Protection team,. “We help you do this in the Microsoft Account and Azure AD system by dynamically banning commonly used passwords.”
Weinert notes that Microsoft works similarly to black hat hackers. When details about data breach become public, and the data from the incident makes its way on the Internet, the company’s employees actively seek it out and add it to their database.
This data is processed and added to a dynamically updated banned password list, which the company uses to block users from choosing common passwords found in many data breach dumps.
Microsoft also uses data from brute-force attacks on its service
Further, the company also uses common passwords it sees on its servers, employed in brute-force attacks. At the start of the month, Microsoft revealed that it sawon its Microsoft Account and Azure Active Directory identity systems. These attacks provide the company with a huge sample size to get an idea of the most used passwords employed in password-guessing brute-force attacks.
Microsoft Account, formerly known as Windows Live ID, is a username and password-based identity system deployed for regular Microsoft users, serving services such as Bing, Outlook.com, OneDrive, Windows Phone, Skype, Xbox LIVE, Windows 8.1, Windows 10, and many others.
On the other hand, Azure Active Directory (AAD) is an identity service for managing user logins for corporate entities.
Massive LinkedIn data breach triggered this Microsoft policy change
Breach lists are the data dumped online by hackers, which often contains password information, sometimes in cleartext or encrypted with weak algorithms such as SHA1.
One of the biggest data breaches that took place is the one that affected LinkedIn. The incident happened in 2012, and at the time, LinkedIn said it affected only 6.5 million clients. Last week, a hacker surfaced onlinefrom the 2012 breach.
From that batch, 117 million user records contained weak-encrypted passwords, which a company has alreadyof in less than 24 hours after the news surfaced.