In an effort to protect humans from themselves when it comes to selecting a secure password, Microsoft is changing the way it allows people to choose passwords by banning common passwords from Microsoft Account and Azure Active Directory (AD) system. They will also be implementing a “smart” password feature that will dynamically update the list of banned passwords based on what passwords are being attacked each day. You can read the entire Microsoft post here.
For example, did you know that in the real world all of these common approaches:
- Password length requirements
- Password “complexity” requirements
- Regular, periodic password expiration
actually make passwords easier to crack? Why you might ask? Because humans act in pretty predictable ways when faced with these kinds of requirements. You can learn all about it in Robyn’s paper.
In addition to Robyn’s paper, I want to share a few insights into how Azure AD and the Microsoft Account system work to protect you and your passwords. We do this in two innovative ways based on the best practice outlined in Robyn’s paper:
- Dynamically banning common passwords
- Smart password lockout
Read on to learn more about these approaches and how we use them in Azure AD and the Microsoft Account System.