The age old problem: You try to enforce solid, secure passwords throughout your organization, but the CEO complains and you have to backtrack and compromise. Or, for some IT folks, having to change a handful of users’ passwords every 60 days because “they forgot how” or the password you require is too complex, forced you to give-up and simplify password policies.
Because you couldn’t enforce stronger password policies, Microsoft is wanting to help better secure the environment. The company is setting up ban lists for its online properties including both Microsoft Accounts and Azure AD services. The list, titled: dynamically banned, contains a listing of the most used and most stolen passwords. If a user has used one of these passwords already on the list, Microsoft services will force the user to create a more complex one instead.
A new Password Guidance paper (available for download from HERE) says this…
Microsoft account was among the first large identity providers to ban a list of known bad passwords (abdcefg, password, monkey, etc.). We have found that banning common passwords is highly effective at removing weak passwords from the system. Microsoft account currently bans patterns which are commonly used in attacks, or even close to those patterns. A list of the top 25 most common passwords for 2015 is here.
The Password Guidance paper contains some of the more common reminders about password security. It’s probably a good idea to have this paper on-hand to forward to that CEO who is continually skirting the dangers of losing corporate data by putting the company at risk.