Select a region
If your password happens to be something pretty lazy – like “qwerty”, “password” or “12345678″ – then take note.
Following LinkedIn’s massive data breach in which 117 million users’ emails and passwords were stolen and put up for sale on the dark web, Microsoft has decided easy passwords won’t cut the mustard any more.
The global tech giant is completely banning all commonly used passwords, so users will have to put more effort into the security of their online accounts.
And that means the days of using “letmein”, “football”, “welcome” or “1234″ are over – at least on Microsoft products.
But rather than toughening up rules about the complexity and length of passwords, Microsoft will look at publicly available information about common passwords – and prevent you from using them.
Alex Weinert, of Microsoft’s identity protection team, wrote in a blog post: “We analyse the passwords that are being used most commonly. Bad guys use this data to inform their attacks.
“What *we* do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won’t work.”
The list will be regularly updated based on new password leaks.
The company says they have already rolled out the feature to their Microsoft Account Service – that includes Outlook, Xbox and OneDrive and will add the update to its Azure AD login system.
“When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyse the passwords that are being used most commonly,” Weinert adds.
In addition to that, Microsoft is also planning a “smart password lockout” system that only stops people who are trying to access someone else’s account illegally.
But the system will allow you to log in if you are using your own device and on an internet network you have used before.
Using “lockout semantics”, Microsoft can evaluate the risk associated with a specific login session and restrict access to hackers accordingly.
“Our systems are designed for determining the risk associated with a specific login session,” adds Weinert. “Using this, we can apply lockout semantics only to the folks who aren’t you.
“The only way *you* get locked out is if someone is guessing your passwords on your own machine or network.”
