Microsoft has warned IT admins to against policies that require passwords that are too long, require multiple character sets, and force users to change them frequently.
Thanks to old password management practices hammered into IT admins over decades, it’s still common for organisations to force users to change their passwords frequently and require the passwords to be lengthy and complex. The policies made sense too. If a password was compromised, a newly set password would limit the time an attacker could access a system, while password complexity would help prevent attackers from using a dictionary-based method to guess them in an offline attack.
But as Microsoft’s Identity Protection Team outlines in new password guidance, approaches that aimed to make identity systems more resilient by encouraging people to pick lots of different passwords that were also hard-to-guess, actually made the organisation weaker due to how people responded to these policies.
Examples include the person who complies with a minimum 10 character password policy by picking “passwordpassword”, or adding a number at the end of a current password when a password change is enforced.
So while admins may scoff at end-users for security failings, Microsoft’s new password document highlights that company policies emanating from the IT department are a source of the problem too since they encouraged users to pick compliant and, assuming a breach had occurred, predictable passwords.
Microsoft wants to break three key “anti-patterns” — password rules aimed at discouraging bad password practices — so that admins don’t unintentionally undermine their organisation’s security.
First, Microsoft now warns admins against requiring passwords of greater than 10 characters due to the tendency for users under this condition to pick easy-to-remember but easy-to-guess passwords. An example of a compliant password is “passwordpassword”. Microsoft research has also found this requirement increases the chances users will write passwords down, re-use them, or store them in the clear documents on PCs or the cloud.
Admins should instead focus on encouraging users to select unique passwords, which necessitates keeping them relatively short.
“To encourage users to think about a unique password, we recommend keeping a reasonable 8-character minimum length requirement, but this is subservient to our guidance to ban common passwords,” Microsoft said.
Second, requiring uses to pick non-alphanumeric characters such as “$”, %”, forcing a blend of these with digits, lower and upper case letters, is a bad idea.
“Most people use similar patterns (i.e. capital letter in the first position, a symbol in the last, and a number in the last 2). Cyber criminals know this, so they run their dictionary attacks using the common substitutions, such as "$" for "s", "@" for "a," "1" for "l" and so on,” Microsoft said,
Perhaps the worst password policy is forcing users to change them frequently since this encourages users to pick predictable passwords, and add sequential words and numbers. So if a password like “password1” is compromised today, and the user is forced to change it in 60 days, there’s a high chance an attacker would be successful when guessing “password2”.
“Password change offers no containment benefits [and] cyber criminals almost always use credentials as soon as they compromise them,” Microsoft said.
The UK’s CESG recently outlined the problems with forcing regular password changes, and warned that attackers can exploit the fact that users tend to pick similar passwords to the old one.
“Attackers can often work out the new password, if they have the old one. And users, forced to change another password, will often choose a ‘weaker’ one that they won’t forget,” CESG said.
Microsoft is also encouraging IT admins to continue supporting things that work, such as stamping out commonly used passwords. Admins could draw on lists of publicly leaked databases that often reveal the same bad passwords, such as 123456, password, and qwerty
Admins should also discourage users from reusing the organisation’s passwords on other domains, and also set up systems for “multi-factor registration”, which allow users to provide an alternate email address, phone number, or device through which they can be notified of security events and respond to challenges.
Microsoft stressed that password re-use was no just a theoretical concern, highlighting that it observed 12 million attacks per day on Microsoft accounts that relied on credentials leaked from other services.
“For Microsoft account, we see hackers testing leaked credentials against our systems at an average of 12M credential pairs every day. It is common practice for cyber criminals to try compromised credentials across many sites.The use of corporate credentials in external sites greatly increases the likelihood that criminals will compromise those credentials and play them back against your organization,” Microsoft said.