Microsoft upends traditional password recommendations with significant new guidance


Based on research gleaned from literally billions of login attempts to its Azure cloud service, Microsoft updates its password recommendations – and throws out several long-held industry best practices.

Microsoft has recently published a white paper, “Microsoft Password Guidance” that explains their new password guidance, based on the massive amount of data they’re collecting at Azure AD login. (They see more than 10 million username / password attacks every day.) Some of it is what you might think…but some of it defies conventional password wisdom.

The author (Robyn Hicock on the Microsoft Identity Protection Team with a long list of contributors from her fellow team members, Microsoft Research, and Microsoft IT) states that long-held password practices fall down in the face of modern credentials-oriented attacks. Further, some of these policies actually increase the ease with which passwords can be compromised and should thus be changed or abandoned all together.

Microsoft recommends seven actions to provide maximum password-based identity protection:

Maintain an 8-character minimum length requirement (and longer is not necessarily better).
Eliminate character-composition requirements.
Eliminate mandatory periodic password resets for user accounts.
Ban common passwords, to keep the most vulnerable passwords out of your system.
Educate your users not to re-use their password for non-work-related purposes.
Enforce registration for multi-factor authentication.
Enable risk based multi-factor authentication challenges.
Let’s look at the more unusual recommendations that directly affect how an organization would set their domain password policy.

Kill Anti-Patterns
Maintain an 8-character minimum length requirement. Microsoft Research has found that long, complex web passwords are a burden to users (no surprise there) but are actually of limited effectiveness for several reasons. The strength of the password is irrelevant if the user is caught in a phishing attack and provides it, or has keylogger malware on their system. These are the most common attacks according to the authors. The password only needs to be strong enough to withstand a “three strikes” type lockout rule. Note that though this study is about web passwords, there’s no reason it shouldn’t also apply to Active Directory passwords (and your own lockout policy).

Eliminate character-composition requirements. This is a nice idea in the abstract, but Microsoft and others (Bruce Schneier, for example) have found that, when confronted with password complexity requirements, people fall into a few recognizable patterns that password cracking programs exploit. For example, it turns out that a typical password consists of a root that’s usually something pronounceable plus a suffix such as a number. And yes, they know that you’re using “$” for “s”, “!” for “i”, etc!

Eliminate mandatory periodic password resets for user accounts. Periodic password changes, again a nice idea in principle, fail when run through the human brain. Why? Because people tend to make their new password based on their old one, in a very predictable manner. In addition, since criminals use passwords as soon as they compromise them there’s no benefit in containment (i.e. “We’ve been compromised; please change your password to prevent your account from being hacked” warnings are far too late).

Also find : microsoft password support

Comments

  1. BhavaniFebruary 26, 2020 at 1:32 AM

    Mirchipataka is your news, entertainment, gossips, breaking and flash news updates website. We provide you with the latest breaking news and videos straight from the entertainment industry in world wide.
    Read more:https://www.mirchipataka.com/prabhas-scientific-movie-with-naga-aswin/

    ReplyDelete

Post a Comment

Popular posts from this blog

Everything You Need to Know About 5G

  The latest CES 2019 set some trends for the future of technology and one of the most anticipated is the arrival of 5G Internet in the market. With the promise of being extremely fast and with double capacity for information transmission, the technology comes to revolutionize communication between everything connected to the internet. After the event, some innovation gurus say that from 2020 onwards we will live the “Data Age”, in which any electronic device will be able to analyze data that will be received via sensors or cloud. The big advantage of the 5G will be its simultaneous connection capability as the current 4G can handle a maximum of 10,000 gadgets within 1 km 2 . The arrival of 5G guarantees a range of 1 million devices within this same radius. And just as importantly, 5G will also bring data transfer capacity of up to 20gb, while 4G supports up to 10gb. And do you know where 5G technology will take immediate action? Obviously in smart cars, which are the future of transpo
Read more

Network Security: LAN manager authentication level

In windows server 2008, if we go to Network Security: LAN manager authentication level(gpedit.msc -> Computer Configuration -> WindowsSettings -> SecuritySettings LocalPolicies -> securityoptions ) and right click on it, we cannot change the value of the authentication level. It is greyed out. To change this we need to go to following registry entry.. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel and set the value. LmCompatibilityLevel should be 0 for Send LM & NTLM responses 1 for Send LM & NLTM - use NTLMv2 session security if negotiated 2 for Send NTLM response only 3 for Send NTLMv2 response only 4 for Send NTLMv2 response only\refuse LM 5 for Send NTLMv2 response only\refuse LM & NTLM know more :  lan manager authentication level
Read more

Five technology trends for 2019

Even as new technologies are developed, innovation around the application of existing technology is rapidly changing how organisations operate and how we interact with the world. Leaps in computing capacity, data capture and connectivity are accelerating this change. Here are five areas to watch in 2019 and beyond… Artificial intelligence AI is about machines with human attributes - speaking, reading, seeing and even recognising emotion - completing tasks while also "learning" from repeated interactions. Using algorithms that adapt to location, speech or user-history machines can perform tasks that are dangerous or tedious, more accurately or much faster than humans. Within a few years, analysts predict that all software will use AI at some level, according to US research and advisory firm Gartner. Importantly AI offers the opportunity to continuously tailor products and services providing a competitive advantage over rivals that is not easily copied. The question
Read more