After LinkedIn heist, here's how Microsoft is tightening password security

[Batu69]

LinkedIn's latest list of leaked credentials is helping Microsoft refine its list of banned passwords as it also issues new best-practice guidelines.

 

The dynamically-banned passwords feature is live in Microsoft Account Service for consumers and in a private preview for Azure Active Directory.

 

Microsoft will soon launch a new Azure Active Directory (AD) feature that will let admins stop users from picking easily-guessed passwords.

Following last week's leak of 117 million LinkedIn credentials, Microsoft has detailed how it's using the leaked list and others like it to prevent Microsoft Account users from picking passwords that appear frequently in stolen data.

 

Each time Microsoft becomes aware of a new password leak, it updates its list of common passwords to block any that match or come close to matching the current attack list.

The dynamically-banned passwords feature is live in Microsoft Account Service for consumers and in a private preview for Azure AD. Microsoft will roll out the feature to over 10 million Azure AD tenants in coming months.

 

IT admins will have the ability to lock down corporate email accounts automatically if the username and password for those accounts match credentials in a newly-leaked list.

When Microsoft discovers a new list of compromised credentials, it runs them through a system that compares hashes of the passwords with those stored with live accounts.

 

If it identifies an at-risk account, Microsoft locks it and prompts the user to verify their identity and reset their password. This same capability will soon be available to Azure AD users, allowing the enterprise to lock down accounts before leaked credentials are abused.

Another password feature, currently in public preview in Azure AD, addresses password reuse.

 

Microsoft's Identity Protection Division also released a new password best practice paper yesterday, urging admins to stop using policies that require users to pick long, complex passwords that need to be changed frequently. Humans tend to work around the obstacles and end up choosing worse passwords, Microsoft notes.

The UK GCHQ's info-sec arm CESG last month also came out against frequent password changes because it often results in weaker passwords.

 

Instead, Microsoft says the policies should encourage users to create unique passwords, hence the ban on commonly-used passwords. Unique passwords should also discourage the use of corporate passwords on external sites.

 

Article source

[Whi5t1eR]

Azure Active Directory no longer allows the likes of 'M!cr0$0ft' to gain entry.

With LinkedIn providing yet more fodder for attackers' rainbow tables and login bots, Microsoft has decided to start blocking too-common passwords. As a result, Azure Active Directory's 10 million or so users will no longer be able to select a password that's appeared too many times on breach lists, or commonly appears in attackers' login attempts. The new regulation is already live in Microsoft Account Service and in private preview in Azure Active Directory, Redmond says in this Technet post. “What we do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won’t work”, Alex Weinart writes. The Microsoft post reiterates that the old beliefs about passwords are already obsolete: password length requirements, password “complexity” requirements, and periodic password expiration all need to be jettisoned because they make passwords less secure. That's in line with what the UK's GCHQ said earlier this month, and for pretty much the same reasons. Microsoft's ID protection team member Robyn Hicock explains in Redmond's password guidance that “people react in predictable ways when confronted with similar sets of restraints” – which exacerbates users' irritating tendency to pick bad passwords, and re-use passwords.

 

http://www.theregister.co.uk/2016/05/25/microsoft_password_policy/

 

[Batu69]

Moved from The Chat Bar forum & merged.

Post edited: Put source link.