The point of a password is to keep your accounts secure. A bad password, though, doesn’t do that very well. And despite decades’ worth of repeated warnings not to use the same terrible passwords, millions of people still regularly do, even when a system tries to require better ones. So Microsoft, in the name of customer protection, has finally had enough and is just going to start banning the really crappy ones altogether.
Basically, Microsoft is putting a tool in place for anyone using its login systems that has a check against the worst passwords list and bans new entries from matching them.
In the blog post, a Microsoft expert explains that across all their properties (Outlook, Xbox Live, OneDrive, and so on) Microsoft sees hostile attempts made on 10 million accounts per day, so they have a lot of internal data to draw on about bad password habits.
The annual list is full of passwords you really shouldn’t be using anyway, with “123456” and “password” routinely taking the top two spots, and such scintillating entries as “qwerty,” “football,” and “12345678” also appearing in the top ten. Microsoft’s system is dynamic, but is still pulling from basically the same pool of bad ideas.
The post, targeted to developers, also explains that administrators using Azure AD — a cloud-based identity verification service from Microsoft — will be able to enable the dynamic banning on their own systems in the near future.