With the news of LinkedIn being compromised, it makes us all re-evaluate our password policies. I agree that passwords are the weakest link in our security chain, and the Azure AD Identity Protection team has now defined some additional password best practices. I expect this will impact a number of people that have used “less complex” passwords with Office 365 and Azure in the past. The big thing I want to point out is that Azure AD will start dynamically banning common passwords. This means if you try to create “simple” passwords within Azure AD (or Office 365), Azure AD will not allow you to change your passwords to these known weak, or commonly used, passwords. I do not expect your current passwords to stop working, at most you will be prompted to change your password. The whole article can be read here.
This post also references our Password Guidance Whitepaper. Keep in mind that Microsoft sees over 10 million username/password pair attacks every day. This gives us a unique vantage point to understand the role of passwords in account takeover. The guidance in this paper is scoped to users of Microsoft’s identity platforms (Azure Active Directory, Active Directory, and Microsoft account) though it generalizes to other platforms.
The link to the Whitepaper is here, and I love that the guidance is simple and direct.
Please take time to review this and discuss it with your customers since this may impact some of your customers the next time they try to change their password to something too simple.
Until next time,