Microsoft declares war on dumb passwords

Date: May 27, 2016

(29)
Comments 6

Adam Turner

Technology journalist

View more articles from Adam Turner

Follow Adam on Twitter Follow Adam on Google+

COMMENT

People need to put a little more thought into choosing a password.

Researchers discover the perfect password that's also easy to remember

Microsoft is creating a dynamic list of stupid passwords that you're forbidden to use with your online accounts, in an effort to protect people from their own laziness.

Making simple rules which force people to create stronger passwords often only encourages lazy people to come up with a slightly longer dumb password, such as switching from "password" to the supposedly much more secure "password1".

Traditionally the solution to this problem has been to keep raising the bar every few years, demanding longer passwords as well as forcing people to use a broader mix of characters – which means that lazy people simply change "password" to "password1" and later "Password123".

Forcing people to regularly change their passwords can also be counterproductive, as they're likely to choose weaker passwords – something simple which follows a regular pattern – if they're forced to change it every month.

The trouble is that hackers rely on the fact that people are lazy, because every time we see a list of stolen passwords it's full of gems like "123456", "password" and "qwerty". These are the first passwords that hackers test when trying to break into your account, knowing that the chances of success are disturbingly high.

Microsoft's latest solution is to study these lists of stolen passwords and automatically ban the most common, even if technically they pass its requirements in terms of length and complexity.

Pretty soon if you try to use a dumb password with your OneDrive or other Microsoft account you'll politely be told; "Choose a password that's harder for people to guess". After a while people won't just be able to simply throw another character on the end of their old dumb password, such as going from "password" to "password1", because that will have also been added to the list of dumb passwords.

The best passwords are easy for you to remember but difficult for a person to guess or a computer to crack by brute force – what are your tricks for choosing strong amd memorable passwords?

6 comments so far

Let me decide how important a password is for each particular service, If all I have in my onedrive are pictures of my dog then 'password' is fine. I make sure my important services have a godo password but these days when every website, every app, every game seems to want a password what is wrong with some generic ones

Commenter

KymBo

Date and time

May 27, 2016, 1:25PM
I can't wait for passwords to replaced with some other kind of authentication.
Every website and service requires a strong, unique, memorable password - its impossible!
A password manager solves this issue, but it's also a single point of failure.

Commenter

Doobs

Date and time

May 27, 2016, 1:58PM
I agree with KymBo. The problem with all these password rules is that one ends up setting up a spread-sheet of access rights and passwords. I use a range of passwords that reflect the importance of the function. i.e. Banking passwords are very strong whereas others are very basic indeed. If websites insist on registering customers for no real gain to the customer, they should allow simple passwords.
What I would like to know though, how did Microsoft gain the list of passwords? A website should not store the source password, it should store the one-way code generated from the encryption of the password. This add security for the customer as they know the password cannot be hacked from the website.

Commenter

View from Kariong

Date and time

May 27, 2016, 2:37PM
- >> What I would like to know though, how did Microsoft gain the list of passwords?
  "Microsoft's latest solution is to study these lists of stolen passwords and automatically ban the most common, even if technically they pass its requirements in terms of length and complexity"
  :)
  
  Commenter
  
  Doobs
  
  Date and time
  
  May 27, 2016, 2:48PM
- Microsoft got the list of passwords the same way the hackers did, pastebin.
  That said, they can collect as many passwords as they like as they're entered. Doesn't really matter as long as they don't store them with the usernames.
  My only objection to password checkers is some will reject a passphrase like "youshouldbeusingtwofactor" because it's full of omg words, but "Password1!" passes the usual complexity checks.
  The funny part is MS run Hotmail stopped using more than 16 characters of a password back in 2012, wonder if that changed.
  
  Commenter
  
  Meh
  
  Date and time
  
  May 27, 2016, 2:52PM
I purchased some stuff from the Windows store recently on my phone and Surface Pro 4. Both used biometric facial authentication (Windows Hello cameras on both the SP4 and my Lumia 950XL). It's awesome, and needs to roll out to other sites and services pronto.

Commenter

TechHead

Location

in your base

Date and time

May 27, 2016, 4:07PM

Make a comment

You are logged in as [Logout]

All information entered below may be published.

Screen name (required)

Error: Please enter your screen name.

Error: Your Screen Name must be less than 255 characters.

Location (optional)

Error: Your Location must be less than 255 characters.

(required) 300 words remaining

Error: Please enter your comment.

Error: Your Message must be less than 300 words.

Post to: Facebook; Twitter; LinkedIn

I understand that submission of this content is covered by the Conditions of Use by which I am bound and Commenting Guidelines are available for my reference.

You need to have read and accepted the Conditions of Use.