With LinkedIn providing yet more fodder for attackers' rainbow tables and login bots, Microsoft has decided to start blocking too-common passwords.
As a result, Azure Active Directory's 10 million or so users will no longer be able to select a password that's appeared too many times on breach lists, or commonly appears in attackers' login attempts.
The new regulation is already live in Microsoft Account Service and in private preview in Azure Active Directory, Redmond says in this Technet post.
“What we do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won’t work”, Alex Weinart writes.
The Microsoft post reiterates that the old beliefs about passwords are already obsolete: password length requirements, password “complexity” requirements, and periodic password expiration all need to be jettisoned because they make passwords less secure.
That's in line with what the UK's GCHQ said earlier this month, and for pretty much the same reasons.
Microsoft's ID protection team member Robyn Hicock explains in Redmond's password guidance that “people react in predictable ways when confronted with similar sets of restraints” – which exacerbates users' irritating tendency to pick bad passwords, and re-use passwords. ®