Microsoft Banning Crappy Passwords

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Want to use your favorite password "123456" on OneDrive, Outlook, or Xbox Live? Good luck with that. Microsoft is putting a tool in place that will block you from using crappy passwords. It's for your own good.

When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyze the passwords that are being used most commonly. Bad guys use this data to inform their attacks – whether building a rainbow table or trying to brute force accounts by trying popular passwords against them. What *we* do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won’t work.
 
Working in IT, I am always surprised at the junk passwords people have. Even considering our Domain rules try and force them to have something decent.
 
Software I designed 5 years ago already has this functionality, now I feel like a visionary ;).
 
Shmee said:
Working in IT, I am always surprised at the junk passwords people have. Even considering our Domain rules try and force them to have something decent.
Click to expand...

Domain rules?! Oh, instead of Spring06, I'll use Summer06. Guess what's next! Guess where I wrote my password down? Under the keyboard! No one will ever look there...
 
Quix said:
Software I designed 5 years ago already has this functionality, now I feel like a visionary ;).
Click to expand...

It's been around for a long time. I have no idea why people haven't been implementing it...
 
omit the top 10 crappy passwords, then the next 10 become the top.

Making something idiot proof just makes better idiots
 
It's just a text field regex, right? I mean, we've being capable of these since how long now? What decade is this?
 
Ehren8879 said:
omit the top 10 crappy passwords, then the next 10 become the top.

Making something idiot proof just makes better idiots
Click to expand...

I remember when a dear old friend of the family got herself a personal confuser and set her password(s) up. A year later she still couldn't get into her mail.. thing (Can't remember which it was). Her password was "123456" but it wouldn't work.

She finally asked me to look at it, it took me less than five minutes to find her password, she wrote it down "123456". Through the power of deduction and the troubleshooters guide to stupid solutions I tried "!23456" because a proper lady would always capitalise that first letter. Complete success.
 
Ur_Mom said:
Domain rules?! Oh, instead of Spring06, I'll use Summer06. Guess what's next! Guess where I wrote my password down? Under the keyboard! No one will ever look there...
Click to expand...

Thing is....We live in an era where every goddamn website and service and workplace tool or workstation has a password. EVERY F'ING ONE. All have their unique-snowflake requirements.

Can you fault people for writing them down? Because when you have a banking password, a facebook login, 2 email logins, your workstation login, your work payroll login, your student loan provider login, your electrical utility login, your water bill login, your DMV login, your home computer login, your XBOX login, your OneDrive login....and so on... It gets really impossible for one busy adult human being to keep track of 20+ usernames and passwords all while keeping them all unique and hard to brute force. Basically impossible short of using a password service, or a notebook writing them all down.

And then add in one unique set of password requirements for each...and they all have rolling expirations between 90 days and a year.


The password was and is, quite simply, the worst idea in data security widely implemented. Users "bad habits" are simply symptomatic of the larger issues.
 
Skripka said:
Thing is....We live in an era where every goddamn website and service and workplace tool or workstation has a password. EVERY F'ING ONE. All have their unique-snowflake requirements.

Can you fault people for writing them down? Because when you have a banking password, a facebook login, 2 email logins, your workstation login, your work payroll login, your student loan provider login, your electrical utility login, your water bill login, your DMV login, your home computer login, your XBOX login, your OneDrive login....and so on... It gets really impossible for one busy adult human being to keep track of 20+ usernames and passwords all while keeping them all unique and hard to brute force. Basically impossible short of using a password service, or a notebook writing them all down.

And then add in one unique set of password requirements for each...and they all have rolling expirations between 90 days and a year.


The password was and is, quite simply, the worst idea in data security widely implemented. Users "bad habits" are simply symptomatic of the larger issues.
Click to expand...

Definitely not wrong at all there. Just how secure is a password when everyone knows it/easily guessed/written down? It's not a lock, it's a door knob. Tiny amount of work to open the door.

It is a symptom of a larger problem, though, as you said.
 
Ur_Mom said:
Definitely not wrong at all there. Just how secure is a password when everyone knows it/easily guessed/written down? It's not a lock, it's a door knob. Tiny amount of work to open the door.

It is a symptom of a larger problem, though, as you said.
Click to expand...

At my workplace passwords have gotten nearly impossible to come up with a new one. Honestly.

1) Only 6-12 characters
2) Must contain caps AND lowercase AND numbers AND symbols
3) Cannot share 3-consecutive-characters with any of 5 previous passwords

With those "simple" rules, most users find themselves in a position where they cannot remember their password regularly. Then they have to scratch their head remembering their answers to "security questions", I always hesitate was my first car a "Mazda" or "mazda". Being a tiny kid at the time I honestly cannot remember my first pet's name. And ofc I have to pseudo-guess all 3 personal bio questions correctly.........and further when they're told to come up with a new one it takes them at least 30 minutes to an hour to change it....because they keep getting flagged on Rule #3.
 
Skripka said:
At my workplace passwords have gotten nearly impossible to come up with a new one. Honestly.

1) Only 6-12 characters
2) Must contain caps AND lowercase AND numbers AND symbols
3) Cannot share 3-consecutive-characters with any of 5 previous passwords

With those "simple" rules, most users find themselves in a position where they cannot remember their password regularly. Then they have to scratch their head remembering their answers to "security questions", I always hesitate was my first car a "Mazda" or "mazda". Being a tiny kid at the time I honestly cannot remember my first pet's name. And ofc I have to pseudo-guess all 3 personal bio questions correctly.........and further when they're told to come up with a new one it takes them at least 30 minutes to an hour to change it....because they keep getting flagged on Rule #3.
Click to expand...
How can they even verify rule number 3 unless they are storing the actual passwords (even if encrypted) instead of a password hash? That's basically asking hackers to come in and steal several versions of everyone's passwords.
 
Skripka said:
At my workplace passwords have gotten nearly impossible to come up with a new one. Honestly.

1) Only 6-12 characters
2) Must contain caps AND lowercase AND numbers AND symbols
3) Cannot share 3-consecutive-characters with any of 5 previous passwords

With those "simple" rules, most users find themselves in a position where they cannot remember their password regularly. Then they have to scratch their head remembering their answers to "security questions", I always hesitate was my first car a "Mazda" or "mazda". Being a tiny kid at the time I honestly cannot remember my first pet's name. And ofc I have to pseudo-guess all 3 personal bio questions correctly.........and further when they're told to come up with a new one it takes them at least 30 minutes to an hour to change it....because they keep getting flagged on Rule #3.
Click to expand...

They are basically forcing you to randomly generate + use a password manager and/or paper...

And yes to enforce number 3 they need to keep a plaintext copy, it's not really possible to do it any other way.
 
What is maddening and hilarious at the same time is the number of sites the force you to use an email address as your user account name and then force you to leap through weird and bizarre password requirements "Because we value your security." Since email addresses by definition are public knowledge, such sites have already comprised that 'valued security'. Even a password of 123456 is fairly secure if the matching user account name is not publicly known.

I am up to page number 3 on my typed and handwritten list of user names and passwords. More then half the sites force use of email address as user account name. Retail sites are especially bad about this.
 
Maybe Microsoft can also remove the stupid 16 character password limit that most banks still use. That isn't helping one bit since most people don't use random password generators.
 
Dealing with customers on a daily basis, it is funny to me how some people get *very* uppity (read: holy hell pissed off) when I install something like Office 2013 for them and when I try to setup a Microsoft-tagged account for them they have to use a strong password. 99% of the time their typical passwords are pretty weaksauce strength and they get pissed (at me) for having to come up with and remember yet another password, blah blah. Almost without fail I get an earful. Thankless damn job sometimes. :(
 
Ur_Mom said:
Domain rules?! Oh, instead of Spring06, I'll use Summer06. Guess what's next! Guess where I wrote my password down? Under the keyboard! No one will ever look there...
Click to expand...

Yes, this sort of crap is exactly what I mean.
 
Skripka said:
At my workplace passwords have gotten nearly impossible to come up with a new one. Honestly.

1) Only 6-12 characters
2) Must contain caps AND lowercase AND numbers AND symbols
3) Cannot share 3-consecutive-characters with any of 5 previous passwords

With those "simple" rules, most users find themselves in a position where they cannot remember their password regularly. Then they have to scratch their head remembering their answers to "security questions", I always hesitate was my first car a "Mazda" or "mazda". Being a tiny kid at the time I honestly cannot remember my first pet's name. And ofc I have to pseudo-guess all 3 personal bio questions correctly.........and further when they're told to come up with a new one it takes them at least 30 minutes to an hour to change it....because they keep getting flagged on Rule #3.
Click to expand...

My company isn't that bad, but it has something similar in place... with some hilarious loopholes as I am able to essentially just put 1-2 word(s) in with an exclamation point at the end if I wanted to. Then on subsequent passwords, I can keep adding exclamation points until it starts getting bothersome... and then I switch to a new word. I don't do that for passwords anywhere else, just my work password, as a bit of a middle finger. They're also usually expletives cussing out the people that make me do this crap. If someone has a plaintext storage of my past passwords, I'm kind of screwed if they ever decided to look through it... hahaha... not kidding seriously...

But yeah, passwords do suck. I don't write mine down anywhere and somehow tend to remember any passwords I might use anywhere (a bit of a chore because my memory sucks). I often have to flip through all my known passwords for a bit if it's a site I haven't visited in a while, though... it really does suck
 
I use a password manager (KeePass is nice, I'm using 1Password now as it supports my platforms better). I showed this to a secretary I work with and got her using it. She's not the most technical person (!!), but she now uses one everday.
When i got married, found out my wife has a simple password and used it on every site. I converted her to a password manager.
Still, passwords suck. it's a pain to use a password manager. A biometric authentication probably makes more sense. I don't know if this is fingerprints, facial recognition (Windows 10 supports this - from what I've read, you can't use a picture to fool it), etc. I use my finger print on my phone (iPhone) and find it works well enough.
I know there are comprises with these systems. However, the alternative is people use stupid password like TrustNo1 and/or writing them on PostIt notes under the keyboard.
 
Why can we just use a pass phrase instead of passwords? Do something like "tHed)gr@n@way".
 
  • Like
Reactions: N4CR
like this
We live in a time where facial recognition software is insanely good... no passwords necessary :) of course if you got hit by a big mack truck and you were in the hospital bed trying to access your email.... maybe not so good
 
I am a fan of requiring to switch keyboard layout to input the password. Not only that makes the end result much less recognisable, it also allows easily remembered words/keyboard patterns to be memorised.

Too bad it still can't defeat anyone poaching as you type it, but at least by switching to another keyboard layout in the system (not your physical one), you add another layer of secuity.

Or am I too naive...?
 
It's a good move to protect the privacy. And it's highly recommended to use complex password combinations for important accounts.
 
Password security becomes a joke when you can't remember it.


E.g. 'ILove[H]ardOCP69' is a far more secure and easier remembered password (that won't be written on the monitor) than some bs like B01e_192-x or whatever some of the nazi password regimes force.
When your users can't remember it, or you need a password manager, that becomes an additional security hole.

01Ilikeducks87 is far easier to remember and just as secure when compared to most of the alphanumeric symbol bullshit requirements out there. Have fun brute forcing that one.
 
Skripka said:
At my workplace passwords have gotten nearly impossible to come up with a new one. Honestly.

1) Only 6-12 characters
2) Must contain caps AND lowercase AND numbers AND symbols
3) Cannot share 3-consecutive-characters with any of 5 previous passwords

With those "simple" rules, most users find themselves in a position where they cannot remember their password regularly. Then they have to scratch their head remembering their answers to "security questions", I always hesitate was my first car a "Mazda" or "mazda". Being a tiny kid at the time I honestly cannot remember my first pet's name. And ofc I have to pseudo-guess all 3 personal bio questions correctly.........and further when they're told to come up with a new one it takes them at least 30 minutes to an hour to change it....because they keep getting flagged on Rule #3.
Click to expand...
I used to have to access a specific database for work, and it required a complicated password:

1. Minimum 18 characters
2. Four uppercase
3. Four lowercase
4. Four numerals
5. Four special characters
6. Password resets every 60 days

So whoever thought up this great idea surely thought they were doing a great service by mandating complicated passwords. In practice, the passwords were so unwieldy that:

1. It encouraged users to write them down
2. Encouraged password sharing when we'd inevitable get locked out (we could just log each other in to get work done)
3. Encouraged users to adopt "patterns" on the keyboard that are easy to remember (and for others to copy)
4. The patterns would just have to be shifted over one place when password reset time came around

What a cluster...
 
Because the theft of Password databases, the #1 problem, will be stopped by getting rid of bad passwords. Err... not so much. In a way it does, the password databases are hashed so they have to be brute forced cracked. You can force a delay before they flood the internet with passwords, but that delay will shrink with better technology over time. The real problem is shit security on those databases and shitty hashing practices. But this feels like blame theater.

Reminds me of my workplace. Someone got the network drives infected and we have all the computers switched on to autoplay including the network drives. So there was widespreed re-infection for days they didn't understand, so they blamed additional USB drive use because they had those switched on for autoplay too. A local IT guy figured it out and blocked the autoplay of connecting network drives and we were good, he phoned in what he found. But the official word was to blame the constant re-infection on the USB drives, so USB drives where banned. This in a place where we generate up to 5 Gb of data in a single test. There's absolutely no reason for us to have autoplay by default. That is the real problem. They still have it on by default.
 
Skripka said:
At my workplace passwords have gotten nearly impossible to come up with a new one. Honestly.

1) Only 6-12 characters
2) Must contain caps AND lowercase AND numbers AND symbols
3) Cannot share 3-consecutive-characters with any of 5 previous passwords

With those "simple" rules, most users find themselves in a position where they cannot remember their password regularly. Then they have to scratch their head remembering their answers to "security questions", I always hesitate was my first car a "Mazda" or "mazda". Being a tiny kid at the time I honestly cannot remember my first pet's name. And ofc I have to pseudo-guess all 3 personal bio questions correctly.........and further when they're told to come up with a new one it takes them at least 30 minutes to an hour to change it....because they keep getting flagged on Rule #3.
Click to expand...

And your post shows the second major flaw with passwords today. Horrible selection of recovery questions. Friends and family will also know a good number of those answers also for us older people. For the younger generation those are probably out on MySpace or facebook now from their parents posting pictures of them.
 
I personally like a method that I came across on some site for selecting passwords in a way that allow for them to be secure while also allowing for a list to be kept that is meaningless to anyone other than you.

Come up with a phrase such as "<insert name> is my <insert relation> and was born on <insert date of birth> in the state of <insert state of birth>!"
Fill in a person "John Smith is my grandpa and was born on July 4 1902 in the state of New York!"
For your password make it the first letter of every word and any numbers. or symbols -> JSimgawboJ41902itsoNY!
That is a nice long password with your upper case, lower case, etc

If you need a list you can just have something wrote down such as bank - dad and you would know the rest to fill in. If somebody else found a list that says work - mom, bank - dad, email - grandma that isn't going to make much sense to them nor would they know what your phrase is that you are using to make use of that info. And since you are using the same basic format for all passwords it becomes easier to remember, you just need to know what person you are associating with that password because you aren't trying to remember JSimgawboJ41902itsoNY! but instead remember "John Smith is my grandpa and was born on July 4 1902 in the state of New York!" that is easier to remember.
 
easy passwords don't piss me off as much as dumb limitations, changing every 3 months seems pointless to me. can't have a password more than 12? 15? 18 characters? why?
 
I used to use something like 11111111afewwords11111111, which worked for most things until they started requiring special characters and such, now they end up getting written down in a book next to my laptop because as said every damn site wants a unique password. Most times I hit forgot password and then use that for sites I end up visiting once every 6 months or so.
 
1. Must be at least 37 characters long.
2. Must contain at least 7 numbers, who's sum must be divisible by 14.
3. Must contain at least 2 characters from the Sumerian alphabet.
4. Must contain at least 1 accepted gender pronoun, but it has to be spelled backwards.

And we will gladly keep all this information in a plain text file on an unsecured server with all ports set to open.....cause it needs to be convenient for maintenance purposes.
 
pothb said:
easy passwords don't piss me off as much as dumb limitations, changing every 3 months seems pointless to me. can't have a password more than 12? 15? 18 characters? why?
Click to expand...

Change every 3 months really isn't that stupid. It is to limit how long a person has to break your password and for it to be useful to them even if they did break it.
 
I hate this shit. I've got 3 passwords that I've used forever and never had a problem. Now every site I go to needs one and they've all got their own special requirements and those special requirements make it just about impossible to actually remember it so you have to write it down which is cool if you do everything from your desk but people like me that do most of their business on their phones, it's a pain. I don't understand why I can't use the password I want? State Farm is the worst. Not only do they have special requirements but they make you change your password every so often and you can't use one that you've used recently.
 
Enforcing a 15 second delay between password entry attempts would dissuade most brute force attempts. By my calculations, with the delay and a 4 character alphanumeric password (uppercase, lowercase, and numbers), it would take about 7 years to get through all the permutations. 5 characters is over 436 years, and so on.
 
Exavior said:
Horrible selection of recovery questions.
Click to expand...
They just need to make it more personal. Questions nobody else knows the answer to are easy to come up with. 1. How much of the dick did you get in, during your first blowjob?/giving your first blowjob? (covers men and women, for lesbians the answer might be 'none'). 2 Have you ever fantasized about or had anal sex? Giving or receiving? 3. What came out first, the first time you barfed from drinking too much? 4.The first time you masturbated, who were you thinking about? 5. Who is the last person you spit on? 6. Who was the last person you wanted to spit on? 7. Did you ever pee/poop on someone? Who? If many, the last one. 8. And so on. You get the idea. Few of these answers, if any, would be widely known about the person. And they don't have to be written down to remember.

Same with usernames.

Have to wonder how many users now use G4TESuxbig1! (or something like it) as their new password. That's easy to remember.
 
Exavior said:
Change every 3 months really isn't that stupid. It is to limit how long a person has to break your password and for it to be useful to them even if they did break it.
Click to expand...
3 months of trying is already an extremely lon time, with that time of length, the period before change seem pointless to me. A 15 second delay like someone else suggested is much better.
 
nightfly said:
They just need to make it more personal. Questions nobody else knows the answer to are easy to come up with.
Click to expand...

I have a word that I have chosen and I just pick any random "safety question" and put that word. It's a word that makes no sense for the question. I use it for every one of those damn recovery questions.

Of if it makes me choose multiple, I'll combine my word with the subject of the question.

Q: What was the name of your first dog?
A: Russiadog
 
nightfly said:
They just need to make it more personal. Questions nobody else knows the answer to are easy to come up with. 1. How much of the dick did you get in, during your first blowjob?/giving your first blowjob?
Click to expand...

Well which one is it? That's not a very good question. Some people might have an answer for both. I mean not me of course.....one of my friends maybe.....well not one of my friends but somebody else's.....you know what just nevermind.
 
nightfly said:
They just need to make it more personal. Questions nobody else knows the answer to are easy to come up with. 1. How much of the dick did you get in, during your first blowjob?/giving your first blowjob? (covers men and women, for lesbians the answer might be 'none'). 2 Have you ever fantasized about or had anal sex? Giving or receiving? 3. What came out first, the first time you barfed from drinking too much? 4.The first time you masturbated, who were you thinking about? 5. Who is the last person you spit on? 6. Who was the last person you wanted to spit on? 7. Did you ever pee/poop on someone? Who? If many, the last one. 8. And so on. You get the idea. Few of these answers, if any, would be widely known about the person. And they don't have to be written down to remember.

Same with usernames.

Have to wonder how many users now use G4TESuxbig1! (or something like it) as their new password. That's easy to remember.
Click to expand...

I actually used some questions of those nature with our customer facing site. Not exactly the same ones you have there but ones of that line of thinking. Think something along the line of in what city was your first kiss. Who has own you the most amount of money but never paid you back. what grade was the first teacher you truly hated. Think there might have been a question about where did you first have sex. Who was the first person you had a sexual crush on. Had to leave the normal stupid questions in there as people in the office couldn't believe I would put so personal of questions into our system for password recovery. Although as I asked them isn't that the point of the questions? To be something that only you would know.

pothb said:
3 months of trying is already an extremely lon time, with that time of length, the period before change seem pointless to me. A 15 second delay like someone else suggested is much better.
Click to expand...

You are incorrectly thinking that is to stop somebody form spending 3 months trying to crack your password. That isn't really the point. That is only a small part of it. The real point is how long is that password good for the person. Lets assume we are talking about something that you log into daily or pretty close to daily like you work network or email or something like that. Say you have to change your password every 90 days. On day 85 somebody steals the password database and starts working at brute forcing all passwords. They get your password 7 days later. By that point your password is no longer valid and you have changed it. So them having your password does no good. Taking this a little further, somebody steals a password file, brute forces all accounts then turns around and sell the information a few weeks later. You would have some passwords already expire and be changed during that time frame of them getting the file and selling it so those people are now protected there. Then you have the time between when the buyer gets the list and gets around to trying all the accounts. You are cutting down the amount of time that somebody has to get your password file, brute force all the passwords and then make use of your password before you change it on them, not trying to keep somebody from spending 90 days straight trying every password against a server. They would hopefully be locked out long before that and somebody should notice that billions upon billions of failed login attempts before then I would hope.

Your method doesn't save anyone after their password is stole or the password file is stolen.
 
You must log in or register to reply here.
Back
Top