Following the huge debacle related to the LinkedIn data breach that came to light last week, Microsoft’s Identity Protection team has decided to ban the usage of common or simple passwordsthat may be easy to guess or have already appeared in breach lists.
Security Experts from Lieberman Software and MIRACL discuss whether this is a good move.
Jonathan Sander, VP of Product Strategy at Lieberman Software:
Microsoft analyzing passwords to keep a dynamic list of password values too weak to use safely is excellent for everyone. The ineffable beneficiaries are those using Microsoft services life Azure AD, but hopefully they will make the fruits of this effort open to all.
I imagine that Microsoft is only instituting their banned password list now because there is enough political capital to do it with so many breaches and stolen passwords in the news. Users will always object to what they see as more work for them. Since Microsoft can point to a stream of published lists of these weak passwords in the hands of bad guys, they can easily overrule a whiny user who only had “that sounds hard” as their reasoning.
The result of what Microsoft is doing here is to have a list of passwords that are too weak to ever use, e.g. ‘p@ssword’ or ‘letmein’, but it doesn’t rule out things that may be easy for you to remember. You could still use phrases that mean something to you like ‘isaw345cats’ – though I’ve just spoiled that one, of course. The point isn’t to make the passwords impossible for you, but rather to ensure you don’t use something so well known that it’s on every bad guy’s short list of passwords to guess.
Since Microsoft thinks they can defend this move with their users, hopefully it leads to organizations’ security folks getting the ammo they need to win these fights internally. Security pros have known for years that moves like this are a good idea – especially when coupled with multi-factor authentication as Microsoft has it. This could raise the security bar for everyone.
Brian Spector, CEO of MIRACL:
Although it is great that Microsoft is trying to increase security and awareness in this way. However, complex passwords are inconvenient, which is why people are failing to adopt them. The sad truth is that even using a combination of letters and numbers, or substituting numbers for letters, passwords can’t protect your personal information or data.
Therefore, Microsoft’s move doesn’t fix the underlying problem that passwords just aren’t secure enough to protect the personal information that we all store and access online today. The IT industry needs to get over passwords all together. They don’t scale for users, they don’t protect the service itself and they are vulnerable to a myriad of attacks.
This is because the root problem lies beyond the individual’s influence, in the password infrastructure.
The most attractive attack vector for cyber-criminals is not the individual user’s vault that store passwords, but the database on the provider side that stores all user passwords. Successfully attacked, (which happens extremely frequently) all users’ passwords are vulnerable. All efforts by individuals to protect their passwords are entirely in vain if the service itself is hacked.
We don’t have to accept the weekly announcements of mass-password-breaches. We should activate 2-factor-authentcation wherever possible and demand strong authentication options where it are not. Service providers should move beyond the password and contribute to the restoration of trust on the Internet by removing the password from their systems all together. There are cryptographic advancements available that combine 2-factor-authentication with excellent ease of use that delight customers. Database hacks, password reuse, browser attacks and social engineering can all be a thing of the past in the authentication space.