Microsoft revamps password protocols to ban easy to guess log-ins

Easy to guess passwords like "password" and "123456" will go the way of Clippy and dial-up internet if Microsoft has its way, with the software giant announcing it will soon forbid users of its products to use commonly used log-ins.

In a blog post, Microsoft said it has rejigged its password policies in an attempt to stem the flow of password breaches, which are still so common that the company says someone tries to hack into a Microsoft account by guessing the password 10 million times a day.

• Russian hackers steal 1.2 billion passwords for thousands of websites
• 117 million LinkedIn accounts hacked in 2012, company says

"When it comes to big breach lists, cybercriminals and [IT security] have something in common," Alex Weinert at Microsoft's security team said in the blog post this week. "We both analyze the passwords that are being used most commonly."

The bad guys use those lists to keeps their attempts to break in up to date, while IT security teams use databases of common phrases and characters across the network to make sure more people can't also use them and add to the problem.

Password problems

Some of the strategies devised in recent years — things like requiring them to be above a certain length, requiring them to be a complex mix of letters and numbers, and even requiring that they be changed on a regular basis — have actually done little to halt breaches, because it turns out the scammers are on top of them, too.

Long passwords don't work, Microsoft says, because it turns out if you give people a minimum character limit, most people will choose a password exactly that long — things like "fourfourfourfour" and "passwordpassword" are common for 16-character limits, Microsoft says. Knowing how long a password is can help scammers narrow billions of password possibilities down to thousands.

And complex ones don't work overly well either, it turns out, because most people use similar patterns — put a capital letter in the first position, a symbol in the last, and a number in the last two, for example. "Cybercriminals know this, so they run their dictionary attacks using the common substitutions, such as "$" for "s", "@" for "a," "1" for "l" and so on," Microsoft cybersecurity expert Robyn Hicock said in a recent white paper on the topic.

• Cybersecurity expert offers tips on choosing a good password
• The 25 worst passwords of 2014 — is yours on the list?

Lastly, making passwords expire also does more harm than good, Microsoft says, because that makes people use predictable passwords composed of sequential words and numbers which are closely related to each other — password1, password2, stopmakingmedothis3 and so on. "There is evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with and then change them in predictable ways that attackers can guess easily," Hickok says.

There are many things that network managers can do to make their systems secure, but one of the quick and easy ones that Microsoft is now mandating across its products is an outright ban on all the most common ones. The company won't specifically say which ones are on the no-no list, but this ranking of the most common passwords in 2015 is a good guide, Microsoft says in its blog post.

That means from now on, anyone trying to change their Outlook email or XBox Live password to "password," "welcome," "123456," "login," or yes, even "starwars" will be forbidden from doing so.

The best advice, Microsoft says, is to choose a password that's unique, and don't use it repeatedly across different websites and services. Unfortunately, that conflicts with what lazy computer users tend to want to do.

"Understanding human nature is critical because research shows that almost every rule you impose on the end user will result in a degradation of password quality," Microsoft says.

That all "makes it easier for attackers to guess or crack passwords."