Robyn Hicock of the Microsoft Identity Protection Team published a Password Guidance paper recently in which recommendations are made to IT administrators and users in regards to password security and management.
Passwords are widely used on today's Internet, local networks and even individual devices, and while companies have started to develop alternatives, none will replace the need for passwords for authentication in the near future.
The company's advice to IT administrators is to a degree quite different from common practices used in many company networks.
The first three points address so called anti-patterns, the remaining four successful or beneficial patterns. These are widely used while research suggests that enforcement has negative consequences that may outweigh their benefits.
Requiring long passwords
Microsoft suggests to require passwords to be at least eight characters, but not to enforce longer passwords (16 characters for instance) as users may choose repeating patterns to meet the length requirement.
Another point worth noting according to Microsoft is that the majority of long passwords that users are required to pick are within a few characters of the minimum length which in turn helps attackers in their attacks.
Longer passwords, at least those that don't use repeated passwords, may lead to insecure practices such as writing down the password, storing it in documents, or re-using it.
Microsoft acknowledges that longer passwords are harder to crack but that truly strong passwords ! inevitably lead to poor behaviors".
Multiple character sets
Many sites and services require that passwords include certain character types, for instance at least one uppercase and lowercase letter, and one number.
These requirements lead to bad user practices as well according to Microsoft research. Many users start passwords with a capital letter and end it with a number of those are two of the requirements.
Certain substitutes, $ for S, ! for 1 or @ for a, are also fairly common, and attackers configure attacks to take advantage of that knowledge.
The third and final anti-pattern addresses periodic resets of passwords forcing users to pick a new password in the process.
Microsoft notes that research has shown that users tend to pick predictable passwords when passwords expire, usually based on the previous password.
There is evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with and then change them in predictable ways that attackers can guess easily.
Banning common passwords
This is the most important restriction when it comes to the creation of passwords as it reduces the impact of brute force attacks.
Microsoft's Account system uses the best practice already. When you try to pick a common passwords during account creation, or password reset, you will receive the message "choose a password that's harder for people to guess".
Password Re-use education
Company employees need to be aware that reusing passwords can have serious implications for security. If an employee uses the same password that he/she uses on company computers elsewhere, attackers may be able to use successful attacks against other accounts of that employee to attack the company network as well.
The last two points go hand in hand. Microsoft suggests that companies maintain security information such as an alternate email address or phone number. This can be used to inform users about issues but also to authenticate users should the need arise.
Microsoft noted the following stats changes for account customers with security information on their account:
Apart from providing guidance to system and IT administrators, Microsoft's password guidance paper provides guidance for users as well.
Microsoft's guidelines are written for the average user base. It is somewhat surprising that the company fails to mention password managers in the paper as they address several of the negatives mentioned in the IT administrator guidelines.
Now You: What's your take on Microsoft's password recommendations?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.