Thursday, June 2, 2016

#empoexpiire Microsoft's approach to password protection

Warning: this post presents some theories from Microsoft, and there are those of you who think that Microsoft is stupid, backward, and evil. Therefore, some of you will probably want to do the exact opposite of what Microsoft recommends.

For example, IT professionals may want to enforce password expiration schemes and insist on password complexity rules.

Why? Because Microsoft says they're ineffective.

Now that the Microsoft haters have stopped reading this post, shaking their heads at the post's inanity, let's turn to the work of Microsoft program manager Robyn Hicock. In brief:

I’d recommend you read this great whitepaper that Robyn Hicock, a Program Manager on our team just published online. It highlights a bunch of very cool research and gives some great guidance on improving the security of passwords.

The paper draws on some great work done by the folks in Microsoft Research, our data and learnings from 10+ years of defending the Microsoft Account service from attacks and information across the industry.

I think it will change the way you think about your password policies. For example, did you know that in the real world all of these common approaches:

•Password length requirements
•Password “complexity” requirements
•Regular, periodic password expiration

actually make passwords easier to crack? Why you might ask? Because humans act in pretty predictable ways when faced with these kinds of requirements.

In the paper (PDF), Hicock refers to "anti-patterns" that result from the use of common security techniques. Regarding password expiration, Hicock notes (as others have noted) that

Password expiration policies do more harm than good, because these policies drive users to very predictable passwords composed of sequential words and numbers which are closely related to each other (that is, the next password can be predicted based on the previous password)....

One study at the University of North Carolina found that 17% of new passwords could be guessed given the old one in at most 5 tries, and almost 50% in a few seconds of un-throttled guessing. Furthermore, cyber criminals generally exploit stolen passwords immediately.

But this is just one of the "anti-patterns." Password length and complexity requirements result in their own anti-patterns, as detailed in Hicock's paper (PDF).

And why listen to Microsoft? Because it deals with passwords like Facebook deals with users - in massive quantities.

Microsoft sees over 10 million username/password pair attacks every day. This gives us a unique vantage point to understand the role of passwords in account takeover.

So while you've been reading this post, Microsoft has dealt with over 10,000 password attacks. Perhaps we should listen to the company.

And what DOES Microsoft recommend? One of its recommendations is to ban common passwords, as defined in a constantly-updated list of common passwords. The white paper links to a list of the most commonly used passwords in 2015. Spaceball's famous "12345" password is on the list of the top 25 passwords, and has been for a while. But in 2015, a number of new passwords made the list, such as "princess" and "solo." And if you're not sure why those passwords suddenly appeared on the list, perhaps another password - "starwars" may give you a hint.

Of course, the most popular passwords in 2015 may not help the criminals in 2016. I'd be willing to bet that by the end of the year, "makeamericagreatagain" will appear on the list, despite its length.

blog comments powered by Disqus