Microsoft to admins: don’t demand long, complex and frequently changed passwords

Microsoft has warned IT admins to against policies that require passwords that are too long, require multiple character sets, and force users to change them frequently.

Thanks to old password management practices hammered into IT admins over decades, it’s still common for organisations to force users to change their passwords frequently and require the passwords to be lengthy and complex. The policies made sense too. If a password was compromised, a newly set password would limit the time an attacker could access a system, while password complexity would help prevent attackers from using a dictionary-based method to guess them in an offline attack.

But as Microsoft’s Identity Protection Team outlines in new password guidance, approaches that aimed to make identity systems more resilient by encouraging people to pick lots of different passwords that were also hard-to-guess, actually made the organisation weaker due to how people responded to these policies.

Examples include the person who complies with a minimum 10 character password policy by picking “passwordpassword”, or adding a number at the end of a current password when a password change is enforced.

So while admins may scoff at end-users for security failings, Microsoft’s new password document highlights that company policies emanating from the IT department are a source of the problem too since they encouraged users to pick compliant and, assuming a breach had occurred, predictable passwords.

Microsoft wants to break three key “anti-patterns” — password rules aimed at discouraging bad password practices — so that admins don’t unintentionally undermine their organisation’s security.

First, Microsoft now warns admins against requiring passwords of greater than 10 characters due to the tendency for users under this condition to pick easy-to-remember but easy-to-guess passwords. An example of a compliant password is “passwordpassword”. Microsoft research has also found this requirement increases the chances users will write passwords down, re-use them, or store them in the clear documents on PCs or the cloud.

Admins should instead focus on encouraging users to select unique passwords, which necessitates keeping them relatively short.

“To encourage users to think about a unique password, we recommend keeping a reasonable 8-character minimum length requirement, but this is subservient to our guidance to ban common passwords,” Microsoft said.

Second, requiring uses to pick non-alphanumeric characters such as “$”, %”, forcing a blend of these with digits, lower and upper case letters, is a bad idea.

“Most people use similar patterns (i.e. capital letter in the first position, a symbol in the last, and a number in the last 2). Cyber criminals know this, so they run their dictionary attacks using the common substitutions, such as "$" for "s", "@" for "a," "1" for "l" and so on,” Microsoft said,

Perhaps the worst password policy is forcing users to change them frequently since this encourages users to pick predictable passwords, and add sequential words and numbers. So if a password like “password1” is compromised today, and the user is forced to change it in 60 days, there’s a high chance an attacker would be successful when guessing “password2”.

“Password change offers no containment benefits [and] cyber criminals almost always use credentials as soon as they compromise them,” Microsoft said.

The UK’s CESG recently outlined the problems with forcing regular password changes, and warned that attackers can exploit the fact that users tend to pick similar passwords to the old one.

“Attackers can often work out the new password, if they have the old one. And users, forced to change another password, will often choose a ‘weaker’ one that they won’t forget,” CESG said.

Microsoft is also encouraging IT admins to continue supporting things that work, such as stamping out commonly used passwords. Admins could draw on lists of publicly leaked databases that often reveal the same bad passwords, such as 123456, password, and qwerty

Admins should also discourage users from reusing the organisation’s passwords on other domains, and also set up systems for “multi-factor registration”, which allow users to provide an alternate email address, phone number, or device through which they can be notified of security events and respond to challenges.

Microsoft stressed that password re-use was no just a theoretical concern, highlighting that it observed 12 million attacks per day on Microsoft accounts that relied on credentials leaked from other services.

“For Microsoft account, we see hackers testing leaked credentials against our systems at an average of 12M credential pairs every day. It is common practice for cyber criminals to try compromised credentials across many sites.The use of corporate credentials in external sites greatly increases the likelihood that criminals will compromise those credentials and play them back against your organization,” Microsoft said.

Join the CSO newsletter!

Error: Please check your email address.

Tags credentialscyber criminalsMicrosoftdata theftIT SecurityPC userscloud userspassword protectionthreats

More about Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts