Microsoft’s Password Recommendations

Robyn Hicock of the Microsoft Identity Protection Team published a Password Guidance paper recently in which recommendations are made to IT administrators and users in regards to password security and management.

Passwords are widely used on today's Internet, local networks and even individual devices, and while companies have started to develop alternatives, none will replace the need for passwords for authentication in the near future.

Microsoft Password Recommendations to IT Admins

The company's advice to IT administrators is to a degree quite different from common practices used in many company networks.

1. Set a minimum length of 8 characters for passwords (but not necessarily more).
2. Remove character composition requirements.
3. Don't require periodic password resets.
4. Ban commonly used passwords.
5. Educate users in regards to password re-use.
6. Enforce multi-factor authentication registration.
7. Enable risk-based multi-factor authentication challenges.

The first three points address so called anti-patterns, the remaining four successful or beneficial patterns. These are widely used while research suggests that enforcement has negative consequences that may outweigh their benefits.

Anti-Patterns

Requiring long passwords

Microsoft suggests to require passwords to be at least eight characters, but not to enforce longer passwords (16 characters for instance) as users may choose repeating patterns to meet the length requirement.

Another point worth noting according to Microsoft is that the majority of long passwords that users are required to pick are within a few characters of the minimum length which in turn helps attackers in their attacks.

Longer passwords, at least those that don't use repeated passwords, may lead to insecure practices such as writing down the password, storing it in documents, or re-using it.

Microsoft acknowledges that longer passwords are harder to crack but that truly strong passwords ! inevitably lead to poor behaviors".

Multiple character sets

Many sites and services require that passwords include certain character types, for instance at least one uppercase and lowercase letter, and one number.

These requirements lead to bad user practices as well according to Microsoft research. Many users start passwords with a capital letter and end it with a number of those are two of the requirements.

Certain substitutes, $ for S, ! for 1 or @ for a, are also fairly common, and attackers configure attacks to take advantage of that knowledge.

Password expiry

The third and final anti-pattern addresses periodic resets of passwords forcing users to pick a new password in the process.

Microsoft notes that research has shown that users tend to pick predictable passwords when passwords expire, usually based on the previous password.

There is evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with and then change them in predictable ways that attackers can guess easily.

Successful Patterns

Banning common passwords

This is the most important restriction when it comes to the creation of passwords as it reduces the impact of brute force attacks.

Microsoft's Account system uses the best practice already. When you try to pick a common passwords during account creation, or password reset, you will receive the message "choose a password that's harder for people to guess".

Password Re-use education

Company employees need to be aware that reusing passwords can have serious implications for security. If an employee uses the same password that he/she uses on company computers elsewhere, attackers may be able to use successful attacks against other accounts of that employee to attack the company network as well.

Multi-Factor authentication

The last two points go hand in hand. Microsoft suggests that companies maintain security information such as an alternate email address or phone number. This can be used to inform users about issues but also to authenticate users should the need arise.

Microsoft noted the following stats changes for account customers with security information on their account:

• Password reset success jumps from 67% to 93%
• Compromise recovery improves from 57% to 81%
• User attrition rate actually drops from 7% to 3%, month over month

Guidance to users

Apart from providing guidance to system and IT administrators, Microsoft's password guidance paper provides guidance for users as well.

1. Never use a (Microsoft) password on another site.
2. Make sure your security information (alternate email address, phone number) are up to date.
3. Verify your identity whenever the need arises with the Microsoft account application for Android.
4. Consider enabling two-factor authentication whenever possible.
5. Don't use common passwords, words or phrases, or personal information when selecting passwords.
6. Keep the operating system, the browser, and software up to date.
7. Be careful of suspicious emails and websites.
8. Install an antivirus program.
9. Make use of Microsoft Password and Windows Hello.
10. Use trusted identity providers.

Closing Words

Microsoft's guidelines are written for the average user base. It is somewhat surprising that the company fails to mention password managers in the paper as they address several of the negatives mentioned in the IT administrator guidelines.

Now You: What's your take on Microsoft's password recommendations?