Microsoft is building a list of most commonly used & leaked passwords

  1. Cluster Head's Avatar
    Posts : 1,563
    Windows 10 Pro x64 RS 10586.586
       24 May 2016 #1

    Microsoft is building a list of most commonly used & leaked passwords

    Microsoft is building a list of most commonly used & leaked passwords
    117M leaked creds (from LinkedIn?). New best practices + #AzureAD and MSA can help

    Howdy folks,

    You probably saw the news last week that a hacker was selling a list with 117M usernames and passwords purportedly leaked from LinkedIn. With these kinds of leaks happening almost weekly now, what can a person do to protect themselves? Or if you are an IT admin, what can you do to protect your users accounts?

    Based on the latest research, there are some straight forward, concrete steps you can take as a user or as an administrator to help protect your accounts. And we’ve got some great features in #AzureAD and the Microsoft Account service that can help you as well.

    I’ve asked Robyn Hicock and Alex Weinert from our Identity Protection team to walk you through these steps. Robyn has done a really great white paper reviewing the latest best practices in password security and Alex has written up a nice blog post showing you how Azure AD and the Microsoft Account service can help. You’ll find Alex’s blog post and links to Robyn’s whitepaper below.

    I hope you’ll take the time to read them both. They are both interesting and some of Robyn’s findings will probably surprise you!

    Best Regards,

    Alex Simons (Twitter: @Alex_A_Simons)

    Director of Program Management

    Microsoft Identity Division


    Hello everyone!

    Alex Weinert, Group Program Manager of Azure AD Identity Protection team here again. Hot on the heels of my blog explaining our approach to lists of compromised credentials and sharing the results data, last week we had another another big list in the news, this time a set of 117M purportedly leaked from LinkedIn.

    With all these lists leaking, what can you do to stay safe?

    To start with, I’d recommend you read this great whitepaper that Robyn Hicock, a Program Manager on our team just published online. It highlights a bunch of very cool research and gives some great guidance on improving the security of passwords.

    The paper draws on some great work done by the folks in Microsoft Research, our data and learnings from 10+ years of defending the Microsoft Account service from attacks and information across the industry.

    I think it will change the way you think about your password policies. For example, did you know that in the real world all of these common approaches:

    •Password length requirements
    •Password “complexity” requirements
    •Regular, periodic password expiration

    actually make passwords easier to crack? Why you might ask? Because humans act in pretty predictable ways when faced with these kinds of requirements. You can learn all about it in Robyn’s paper.

    In addition to Robyn’s paper, I want to share a few insights into how Azure AD and the Microsoft Account system work to protect you and your passwords. We do this in two innovative ways based on the best practice outlined in Robyn’s paper:
    •Dynamically banning common passwords
    •Smart password lockout

    Read on to learn more about these approaches and how we use them in Azure AD and the Microsoft Account System.

    Dynamically Banned Passwords

    As Robyn’s paper explains, the most important thing to keep in mind when selecting a password is to choose one that is unique, and therefore hard to guess. We help you do this in the Microsoft Account and Azure AD system by dynamically banning commonly used passwords.

    When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyze the passwords that are being used most commonly. Bad guys use this data to inform their attacks – whether building a rainbow table or trying to brute force accounts by trying popular passwords against them. What *we* do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won’t work.

    As I mentioned in my last blog and the latest Microsoft Security Incident Report, we see more than 10M accounts attacked daily, so we have a lot of data about which passwords are in play in those attacks. We use this data to maintain a dynamically updated banned password list.

    We then use that list to prevent you from selecting a commonly used password or one that is similar. This service is already live in the Microsoft Account Service and in private preview in Azure AD. Over the next few months we will roll it out across all 10m+ Azure AD tenants.

    Here’s what it looks like to an end user in Azure AD (currently in private preview – coming soon!):

    Click image for larger version. 

Name:	001052416_2003_117Mleakedc1.jpg 
Views:	43 
Size:	32.5 KB 
ID:	81452

    And here’s what it looks like on your Microsoft account (Outlook, Xbox, OneDrive…):

    Click image for larger version. 

Name:	002052416_2003_117Mleakedc2.jpg 
Views:	43 
Size:	31.2 KB 
ID:	81453

    Smart Password Lockout

    Of course, you already know that when our security system detects a bad guy trying to guess your password online, we will lock out the account. What you probably don’t know is that we do lots of work to make sure that they only lock themselves out!

    Our systems are designed for determining the risk associated with a specific login session. Using this, we can apply lockout semantics only to the folks who aren’t you. The only way *you* get locked out is if someone is guessing your passwords on your own machine or network.

    If you are locked out in Azure AD, it looks like this:

    Click image for larger version. 

Name:	003052416_2003_117Mleakedc3.png 
Views:	43 
Size:	57.2 KB 
ID:	81455

    And in Microsoft account, it looks like this:

    Click image for larger version. 

Name:	004052416_2003_117Mleakedc4.png 
Views:	43 
Size:	61.4 KB 
ID:	81454

    To see how effective this is at saving good users from disruption, check this out – more than half the time, we keep hackers from disrupting you or your users:

    Click image for larger version. 

Name:	005052416_2003_117Mleakedc5.jpg 
Views:	43 
Size:	17.8 KB 
ID:	81456
    Microsoft Password Guidance
    Download pdf:

      My ComputerSystem Spec

  2.    24 May 2016 #1

    Thanks.. I bet that 12345678 or some form of that is the most used. I want to see that list.
      My ComputerSystem Spec


Related Threads
Does anyone know how to delete all saved passwords in Microsoft Edge either using a bat file or reg key. Looking for a way to protect users in public computer classroom. Thanks
Hi, I have a problem with Microsoft Edge. It won't save my passwords on sites, nor it will ask me to save passwords on sites. I have quite a few that were save previously with Windows 7, but obviously, not all of them have transferred to Windows...
As the title suggests, everything seems to have disappeared, and if this means re-entering everything, then balls to that! any help much appreciated!
Source: Building a more interoperable Web with Microsoft Edge
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 12:20.
Find Us