Microsoft trying to prevent bad passwords, bad guys phishing for any passwords

In the wake of the news that the 2012 LinkedIn breach was significantly larger than previously though, passwords are apparently all the rage at Microsoft these days. Specifically, Microsoft has all but declared war on passwords that it believes are ‘bad’. I am a big fan of a layered approach to security and a strong passphrase is an essential layer, I think that the emphasis being placed on good / strong passwords / passphrases should be tempered with additional focus on additional layers like user training and multi-factor authentication.

The Good

  • Strong passphrases (i.e., that won’t be stored in an NTLM hash and won’t be easily brute-forced with some variation of the rockyou word list) are an essential part of a good security posture.
  • The article encourages the use of different passwords for everything and discourages the reuse of passwords (same password for your work computer, home computer, personal email, social media, online banking, etc.).  If passwords are shared, a breach at one site means a breach at all of them and malicious hackers can quickly use OSINT (open source intelligence) to find those breadcrumbs between accounts.
  • Securely storing the passwords (one per site) in a password manager like Keepass will make it easy to manage (many) multiple passwords and most have password generators that will make it easy to generate long, complex passwords or passphrases that aren’t influenced by the user preference (which can then be used by the malicious hacker to attack the password or passphrase).
  • Account lockouts are an excellent countermeasure to brute forcing accounts.  If an account gets locked out but the user wasn’t attempting to log in, the lockout will stop or slow down the attack and (at some point) notify the user that there’s some funny business going on.

The Bad

  • Recommending an 8 character password, while better than a 6 character password, still means that we’re likely looking at some variation of a dictionary word with a number (1, 2, 3, 4, etc. each time it changes) and / or a special character (most likely !) at the end.  This is not a challenge for a mid-priced GPU and a decent word list.
  • In the same way that users ‘beat’ the complexity requirements (the password “Password!” still meets the complexity requirements for a newly deployed Active Directory network in most cases), they will ‘beat’ the Dynamically Banned Passwords that Microsoft is maintaining.  KidsName+BirthYear+! will, in all likelihood still work as a valid password and can be easily obtained in many social media profiles (Yeah, little Johnny just started kindergarden gives us Johnny’s first name, we can deduce his birth year and then we’ve just gotta add a special character and we’ve got a starting point for our brute force attack).

The Ugly

  • Until we find a way to patch the user, social engineering is going to render moot many attempts to secure the network by a determined attacker.
  • Regardless of the length, complexity or age of a password, if a malicious hacker is able to simply call the user and ask for the password or, worse yet, get remote access to the computer (completely bypassing the need to get a username / password in many cases), we’ve lost the battle.


Password Guidance PDF –
Threatpost article –

Leave a Reply