Microsoft's Azure Won't Let You Use Weak Passwords

Let's talk about password strength requirements. You've all seen the messages saying something to the effect of 'Your password must contain one uppercase letter, one lowercase letter, a digit, a special character, and it must be at least ten symbols long.' You probably know what the purpose of these messages is: encouraging people to create strong, preferably unique passwords. But do they actually work?

They don't. The problem is, when there are loopholes, humans are bound to try and exploit them. It's not necessarily a conscientious effort. In the case of password strength requirements, people just can't remember passwords that are long, complex, and random enough. As a result, instead of protecting their data with something truly unique, they just add "123!" to the end of "Password."

"Password123!" isn't much stronger than "Password." The additional characters might make a difference if hackers are trying to crack the password using old hardware and a traditional brute-forcing technique which tries different combinations of symbols, but crooks don't do that anymore. It's much easier for them to just compile a dictionary of common passwords and try those instead. "Password123!" is a common password and can, therefore, be cracked in milliseconds. Microsoft knows this, and it's trying to do something about it.

It's adding a couple of new features to its Azure AD platform. They're called Banned Passwords and Smart Lockout, and in theory, they should be more effective at preventing users from using weak passwords.

Banned Passwords

Microsoft has realized that strength requirements don't necessarily result in strong passwords, and it's decided that a different, brilliantly simple approach is needed. It just bans weak passwords. Microsoft's security people have put together a list of 500 common passwords, and Azure AD users aren't allowed to use them.

That's all well and good, but as we mentioned already, people will likely try to find a way around the new rules, and they will, for example, swap "Password123!" with "P@$$w0rd123!". This isn't good enough, either. To prevent them from yielding to the temptation of using a simple password, Microsoft also included a list of over 1 million variations of the 500 common passwords they started with. As a result, swapping "a" for "@" won't work, either.

It might seem like an overly restrictive measure, and we're sure that some users will probably be a bit frustrated. Then again, complexity requirements can also drive you mad sometimes, especially when you're in a hurry, and besides all this, more and more experts reckon that this is the way forward.

Microsoft is also giving sysadmins the option of enriching the list of banned passwords and customizing it to their own needs. This is really important because, as anyone with any interest in password security will tell you, a lot of people tend to make silly mistakes such as using "amazon" as the password for their Amazon account. Diligent administrators can put an end to this bad practice by modifying the list of banned passwords.

They will need to pay for it, though. The Banned Passwords are a part of Azure AD's Premium Password Protection feature which is available to Azure AD Premium 1 subscribers. We'll leave it up to you to decide what you make of Microsoft's decision to give a really useful security feature to paying customers only.

Smart Lockout

Smart Lockout is the second security feature Microsoft is about to introduce, and this time, it will be available to all Azure AD users. According to Redmond's experts, it uses "cloud intelligence" to make out whether or not the login attempts are legitimate. The idea is, the bad guys will be locked out long before they could make enough password guesses.

It's good to see that Microsoft is thinking about the security of its customers' systems. The Banned Passwords feature is bound to cause some frustration among users, but it must be said that usability problems emerge quite often when new security features are introduced. Besides, a password management tool can take care of them quickly and easily.