Based on research gleaned from literally billions of login attempts to its Azure cloud service, Microsoft updates its password recommendations – and throws out several long-held industry best practices.
Microsoft has recently published a white paper, “Microsoft Password Guidance” that explains their new password guidance, based on the massive amount of data they’re collecting at Azure AD login. (They see more than 10 million username / password attacks every day.) Some of it is what you might think…but some of it defies conventional password wisdom.
The author (Robyn Hicock on the Microsoft Identity Protection Team with a long list of contributors from her fellow team members, Microsoft Research, and Microsoft IT) states that long-held password practices fall down in the face of modern credentials-oriented attacks. Further, some of these policies actually increase the ease with which passwords can be compromised and should thus be changed or abandoned all together.
Microsoft recommends seven actions to provide maximum password-based identity protection:
- Maintain an 8-character minimum length requirement (and longer is not necessarily better).
- Eliminate character-composition requirements.
- Eliminate mandatory periodic password resets for user accounts.
- Ban common passwords, to keep the most vulnerable passwords out of your system.
- Educate your users not to re-use their password for non-work-related purposes.
- Enforce registration for multi-factor authentication.
- Enable risk based multi-factor authentication challenges.
Let’s look at the more unusual recommendations that directly affect how an organization would set their domain password policy.
Maintain an 8-character minimum length requirement. Microsoft Research has found that long, complex web passwords are a burden to users (no surprise there) but are actually of limited effectiveness for several reasons. The strength of the password is irrelevant if the user is caught in a phishing attack and provides it, or has keylogger malware on their system. These are the most common attacks according to the authors. The password only needs to be strong enough to withstand a “three strikes” type lockout rule. Note that though this study is about web passwords, there’s no reason it shouldn’t also apply to Active Directory passwords (and your own lockout policy).
Eliminate character-composition requirements. This is a nice idea in the abstract, but Microsoft and others (Bruce Schneier, for example) have found that, when confronted with password complexity requirements, people fall into a few recognizable patterns that password cracking programs exploit. For example, it turns out that a typical password consists of a root that’s usually something pronounceable plus a suffix such as a number. And yes, they know that you’re using “$” for “s”, “!” for “i”, etc!
Eliminate mandatory periodic password resets for user accounts. Periodic password changes, again a nice idea in principle, fail when run through the human brain. Why? Because people tend to make their new password based on their old one, in a very predictable manner. In addition, since criminals use passwords as soon as they compromise them there’s no benefit in containment (i.e. “We’ve been compromised; please change your password to prevent your account from being hacked” warnings are far too late).
Updated advice from both Schneier and Microsoft is that unless you think your password might be compromised, don’t change it. I would amend this recommendation to say strengthen your passwords over time, but don’t try to keep track of it yourself: bow down to our robotic masters, and use a utility like LastPass to generate long, complex, unmemorable passwords and store them in its encrypted vault. Then you only need remember one complex password – the master password for your vault. Once you cede management to such a utility, it’s really quite freeing; you can instantly create a hairy 18-character password such as “wO2AECJ^OZhbXwY#0Y” for a website and rest assured that it’s practically uncrackable.
Enforce Successful Patterns
Ban common passwords. Microsoft believes the most important step you can take for security is to ban a list of known weak passwords (e.g. abcdefg, passw0rd, etc.) from your system to strengthen it against brute-force attacks. Microsoft has found that banning these passwords (which they do for Azure AD) is highly effective at removing weak passwords from the system.
If you’re reading this at a traditional enterprise you’re probably thinking, “This is all well and good, but how do I implement such a policy for my on-premises Active Directory environment?” If you’re an AD guy like me, you know this requires a custom password filter that must be installed on all AD domain controllers, and Microsoft does not provide password-banning capabilities out of the box.
There are third party products such as Anixis Password Policy Enforcer or nFront Password Filter that do provide this capability. Microsoft is reportedly working on its own support for this capability; in her twitter feed, the author says “We have something in the works for this. Stay tuned”, but of course there’s no way to judge when this capability will be available. Since this capability would need to integrate with Windows Server Active Directory, how long it will take depends upon how the capability is implemented. If it’s part of Active Directory, the time to be deeply integrated into Windows Server 2016 is past – which means a two-year wait until the next version of Windows Server is released. An updated password filter (passfilt.dll) can be made available as a download at any time.
Educate your users not to re-use their password for non-work-related purposes. It’s not difficult to surmise that, once a user has settled on what they consider a good password for work, they would use it again for other sites. Unfortunately, it’s such a common practice that criminals always try compromised credentials across many sites; Microsoft sees 12 million leaked credentials (Microsoft maintains a large compromised credentials list) tested against their systems every day.
This is a really hard pattern to enforce, because you can only do it with user education. And it’s an uphill battle because it makes it harder for users.
Enforce registration for multi-factor authentication. Multi-factor authentication (MFA) is rapidly being adopted by enterprises and larger SaaS providers. Having a second set of security information (such as alternate email address or mobile phone number) that can be verified out of band makes a dramatic improvement in security. Turn on MFA wherever you can! Yes, it can be a minor pain – but it’s less of a pain by far than a compromised account.
Enable risk based multi-factor authentication challenges. This pattern takes MFA to the next level, by triggering an MFA prompt when suspicious activity (such as a geographically different IP address than the user has logged in with before) is detected. This of course requires that the capability be available in your login security system.
Note that if your company has compliance requirements, you may not be able to implement some or all of these suggestions. Nevertheless, it’s always good to be aware of what’s happening in the real world. And it doesn’t get much more real world than data from a place with 10 million attacks per day.