Microsoft bans most common passwords in attempt to keep its users safe

The site calls the feature ‘dynamic banning’ and it is supposed to solve the biggest problem with passwords

Andrew Griffin
Thursday 26 May 2016 15:17
The National Cyber Crime Unit has revealed that some hackers are offering ‘cybercrime as a service’, and have created a marketplace where gangs can bid for targets to be attacked
The National Cyber Crime Unit has revealed that some hackers are offering ‘cybercrime as a service’, and have created a marketplace where gangs can bid for targets to be attacked

Microsoft is going to ban its customers' most-used passwords.

The company is going to start “dynamically banning” the passwords that people use to try and break into accounts, in an attempt to keep its users safe.

A huge and worrying proportion of people tend to use passwords from a relatively limited list – things like 123456, or the word password. Doing so makes it far easier for people to break into people’s accounts, and so Microsoft is going to stop people from using them.

The company made the announcement after the revelation that 117 million LinkedIn accounts had been made available for sale on the internet. It said that information can prove useful to those looking to protect accounts as well as for cyber criminals, since it provides a way of getting to know the passwords that are most used.

“When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyze the passwords that are being used most commonly,” wrote Microsoft’s Alex Weinert. “Bad guys use this data to inform their attacks – whether building a rainbow table or trying to brute force accounts by trying popular passwords against them.

“What we do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won’t work.”

Microsoft sees 10 million attacks on people’s accounts every day. That means that it can build a list of the passwords that people are trying on those accounts, and it can be “dynamically updated” so that it always has the most recently used passwords.

“We then use that list to prevent you from selecting a commonly used password or one that is similar,” writes Mr Weinert.

That should make it far harder for hackers and cybercriminals to break into accounts by simply guessing the password a person has used.

The proportion of people using easy to guess passwords has been repeatedly highlighted in reports showing the most-commonly used logins. Because of that and other security problems, some companies such as Google want to get rid of passwords entirely and use other, more secure options like biometric data.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in