Microsoft plans to dynamically ban commonly used passwords on all of the more than 10 million Azure Active Directory user accounts.
Alex Weinert, group program manager of the Azure AD Identity Protection team, explains in a blog post that Microsoft continuously analyses those passwords that are used most commonly online.
He goes on to note the tech giant retrieves this information not only from industry research, such as SplashData's annual list of "worst" passwords, but also from its own data regarding password brute force attacks:
"As I mentioned in my last blog and the latest Microsoft Security Incident Report, we see more than 10M accounts attacked daily, so we have a lot of data about which passwords are in play in those attacks. We use this data to maintain a dynamically updated banned password list. We then use that list to prevent you from selecting a commonly used password or one that is similar."
Microsoft has already enabled the banned password notification feature in its Account Service. The company has also made it available in private preview in Azure AD, and it intends to roll out the service to the more than 10 million users of Azure AD over the next few months.
In the meantime, Weinert recommends all Azure AD admins urge their users to implement Azure multi-factor authentication (MFA) or Windows Password, the latter of which is inherently multi-factor. Enabling either feature will help to protect users' accounts even in the event an attacker steals or guesses their passwords.
For more secure password recommendations, please download this paper (PDF) written by Robyn Hicock of the Azure AD Identity Protection team.
News of Microsoft's password policy updates follows on the heels of, and in part directly responds to, a hacker's attempt to sell a database containing 167 million LinkedIn accounts, including the emails and passwords for 117 million users, on the dark web.