Microsoft took a unique step recently and began disallowing certain common passwords from being utilized in a number of platforms including Xbox Live, Office 365, and will soon apply the rules to the Azure active directory in the cloud. The starting point for the Microsoft list was the SplashData annual “Worst Password List” and includes such gems as “12345,” “qwerty” and “password.” Users attempting to provide one of these as a password are met with a warning “Choose a password that’s harder for people to guess” and are forced to come up with something more inventive and, hopefully, more secure.
While this initiative by Microsoft should certainly help stop individual users accounts from being hacked, it does not really accomplish anything for the large population of corporate users authenticating to the company network. A few versions ago, Microsoft implemented fine grained password controls in active directory, which was thought of as a huge advantage, since different types of users in the organization could have different levels of requirements for passwords. For example, a sales person may be required to use an eight-character password with two special cases – i.e. capital letter, lower case, number and special character -- while a systems administrator may be required to use a 12-digit password with three cases. Other items that could be varied by groups included, password history and minimum and maximum password age.
This was a step in the right direction, but did not prevent people from using simple words to fulfill the requirements, or prevent them from incrementing – using “Password.1” and then “Password.2” and so on. It also did not prevent users from utilizing the company name, their name, etc. As long as the password complied with the basic criteria, it would be accepted.
There are commercially available applications that address this issue for the corporate network and, at the same time, provide a user friendly graphical user interface (GUI) to show that the password they are typing is complying with the complex rules. For example, rules can be set to disallow use of repeating characters and incrementing, as well as any number of special cases, including a dictionary of specific, excluded words.
When coupled with a self-service reset password application, turning on complex passwords for an organization can be relatively pain free and not place additional burden on the IT department or the helpdesk. The applications function much like a banking website: Users enroll via series of selectable challenge questions and provide answers. Should they forget their complex password, they can reset it on their own from either a website or a “Forgot My Password” link on the Windows login screen.
The steps Microsoft is making are definitely a move in the right direction to protect users from potential social hacking with easily guessable passwords. Applications like a password complexity manager and self-service reset password can help protect enterprises from the same issue without increasing the workload on the IT department. Hopefully when next year’s list of worst passwords is released, it will be significantly shorter, or at least contain something more difficult to guess than “password.”