As a result of the 117 million leaked credentials from LinkedIn, Microsoft has taken extra precautions to protect user accounts from being hacked by banning commonly used and easy to guess passwords. According to Microsoft, there are hackers who try to get into a Microsoft account by guessing the password upwards of 10 million times a day.
In a blog post from Microsoft’s security team, Alex Weinert writes, “When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyze the passwords that are being used most commonly. Bad guys use this data to inform their attacks – whether building a rainbow table or trying to brute force accounts by trying popular passwords against them.”
There have been various strategies implemented over recent years to protect user accounts, such as requiring passwords to be a certain length, but these strategies have done little to stop breaches as hackers are up to date with these changes and adjust their hacking methods accordingly.
Microsoft says that long passwords don’t often work because when people are given a minimum character limit, most people will select a password that is of that exact length. For example, common passwords that have a 16-charcter limit are “fourfourfourfour” and “passwordpassword”.
In a recent white paper on passwords, Microsoft cybersecurity expert Robyn Hicock says complex passwords don’t work very well either as “Most people use similar patterns (i.e. capital letter in the first position, a symbol in the last, and a number in the last 2). Cyber criminals know this, so they run their dictionary attacks using the common substitutions, such as “$” for “s”, “@” for “a,” “1” for “l” and so on.”
From now on, users who try to change their Outlook or Xbox Live password to “123456”, “login”, “password”, or “welcome” will not be able to do so.
The best advice is to choose a password that’s unique and don’t use it repeatedly across various websites and services.