Microsoft to block insecure passwords

As long as passwords reign supreme, Microsoft will look for ways to improve safety.

In a brief blog post on the Active Directory Team Blog, members of Microsoft’s Identity Division took time to comment on the recent LinkedIn username/password breach. They outlined how they already have methods in place to help administrators keep their organization secure, and then went on to say that they are trialing a new technique to improve account security.

That technique? Block bad passwords.

Microsoft’s tools will classify bad passwords by checking for any passwords involved in malicious attacks. Then, when a user adds or changes their password to their account, the prospective password will be dynamically checked against known bad passwords. Should it be structurally similar to known weak passwords & fail the check, the prospective password will be outright rejected.

This builds on the current setup wherein users are told the relative strength of their password based on general rule. Despite the fact that users are encouraged to use strong passwords, some practices actually result in users consciously opting for the less secure password. For now, weak passwords are not actively blocked.

Right now, the technology is in private preview form, with no announced date of roll out to the public. It will be implemented in normal Microsoft online accounts (for services like Skype, Outlook/Hotmail/Windows Live Mail, and Office Online), as well as in Microsoft’s various Azure tools/services (used by outside companies).

The future where we can leave passwords behind cannot come soon enough for some companies. Until that day comes, use a password manager. And a secure password generator. And set up 2-factor authentication whenever possible.

[source: Microsoft TechNet Blogs]