Microsoft Attempts to Blacklist Common Passwords

We have all seen on the news and social media lately that approximately 117 million LinkedIn usernames and passwords are being sold on TheReadDeal Marketplace for 5 bitcoins (this is about $2,200 USD). What most of us don’t know is that the LinkedIn hack occurred back in 2012 and the hacker, known as Peace, is just now bringing it to the media’s attention. From this data breach, we have learned what the top used passwords are among LinkedIn users. The bottom line is that users are not making smart password choices and the password policy settings are not complex enough to guide users in the right direction. This combined with LinkedIn’s decision to use SHA1 with no salting (not an internet standard) was the perfect target for a hacker.

Looking at this from a CIO or CSO’s perspective at a company, you can’t blame an employee for selecting a weak password if there are no warnings to let the person know that it is not a secure password. It is the company’s responsibility to effectively enforce a secure password policy and ensure their users are selecting strong passwords. This can be done through continuous employee education or implementing a software, like a password filter, that can police employee passwords for you. Employee education is timely and costly with no real benefit; without a password filter there is no way to make sure employees are actually following the company’s written password policy.

Here is a list of the top 20 most commonly used LinkedIn passwords with their frequency:

5-27-2016 8-34-26 AM

With all of this data surfacing, Microsoft has decided to ban easy to guess passwords on Microsoft Account Service and Azure Active Directory, but none of their other platforms. ARS Technica states: “Blacklisting weak passwords at the platform level is probably one of the most effective measures service providers can take to improve passcode strength.” This is is 100% correct! But, Microsoft is not completely blacklisting weak passwords. This article shows how Pa$$w0rd1 is still allowed with Microsoft’s new attempt to make their security measures stronger. Many times, users think that by changing the letter ‘s’ to a ‘$’ makes a password more secure. However, it does not! Hackers know these common tricks and have letter-symbol replacements already included in their mind when hacking a company’s network.

To properly execute blacklisting passwords, all variations of common passwords need to be included in order for it to be effective. For example, since “password” is a common password, the following should also be blacklisted: pa$sword, pa$$word, passw0rd (this is using a zero for the letter ‘o’), password1, password1234, password1!, and there are so many more to list! Also, the blacklisting file (also known as a dictionary file) should be customizable for each company. For example, if a company is called ABC Laptops, then the dictionary file might also need to consist of words in the technology industry that hackers know are common terminology for the employees. These industry specific terms have a higher probability of being used due to the fact that employees think they are secure since they are terms just for their industry. Microsoft’s attempt to create a blacklisted password list on a select few of their Microsoft programs is a great attempt, but it is just that – an attempt.