117M leaked creds (from LinkedIn?). New best practices + #AzureAD and MSA can help

First published on CloudBlogs on May, 24 2016
Howdy folks, You probably saw the news last week that a hacker was selling a list with 117M usernames and passwords purportedly leaked from LinkedIn. With these kinds of leaks happening almost weekly now, what can a person do to protect themselves? Or if you are an IT admin, what can you do to protect your users accounts? Based on the latest research, there are some straight forward, concrete steps you can take as a user or as an administrator to help protect your accounts. And we've got some great features in #AzureAD and the Microsoft Account service that can help you as well. I've asked Robyn Hicock and Alex Weinert from our Identity Protection team to walk you through these steps. Robyn has done a really great white paper reviewing the latest best practices in password security and Alex has written up a nice blog post showing you how Azure AD and the Microsoft Account service can help. You'll find Alex's blog post and links to Robyn's whitepaper below. I hope you'll take the time to read them both. They are both interesting and some of Robyn's findings will probably surprise you! Best Regards, Alex Simons (Twitter: @Alex_A_Simons ) Director of Program Management Microsoft Identity Division -------------------- Hello everyone! Alex Weinert, Group Program Manager of Azure AD Identity Protection team here again. Hot on the heels of my blog explaining our approach to lists of compromised credentials and sharing the results data, last week we had another another big list in the news , this time a set of 117M purportedly leaked from LinkedIn. With all these lists leaking, what can you do to stay safe? To start with, I'd recommend you read this great whitepaper that Robyn Hicock, a Program Manager on our team just published online. It highlights a bunch of very cool research and gives some great guidance on improving the security of passwords. The paper draws on some great work done by the folks in Microsoft Research, our data and learnings from 10+ years of defending the Microsoft Account service from attacks and information across the industry. I think it will change the way you think about your password policies. For example, did you know that in the real world all of these common approaches:

• Password length requirements
• Password "complexity" requirements
• Regular, periodic password expiration

actually make passwords easier to crack? Why you might ask? Because humans act in pretty predictable ways when faced with these kinds of requirements. You can learn all about it in Robyn's paper . In addition to Robyn's paper, I want to share a few insights into how Azure AD and the Microsoft Account system work to protect you and your passwords. We do this in two innovative ways based on the best practice outlined in Robyn's paper:

• Dynamically banning common passwords
• Smart password lockout

Read on to learn more about these approaches and how we use them in Azure AD and the Microsoft Account System. Dynamically Banned Passwords As Robyn's paper explains, the most important thing to keep in mind when selecting a password is to choose one that is unique, and therefore hard to guess. We help you do this in the Microsoft Account and Azure AD system by dynamically banning commonly used passwords . When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyze the passwords that are being used most commonly. Bad guys use this data to inform their attacks – whether building a rainbow table or trying to brute force accounts by trying popular passwords against them. What *we* do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won't work. As I mentioned in my last blog and the latest Microsoft Security Incident Report, we see more than 10M accounts attacked daily, so we have a lot of data about which passwords are in play in those attacks. We use this data to maintain a dynamically updated banned password list. We then use that list to prevent you from selecting a commonly used password or one that is similar. This service is already live in the Microsoft Account Service and in private preview in Azure AD. Over the next few months we will roll it out across all 10m+ Azure AD tenants. Here's what it looks like to an end user in Azure AD (currently in private preview – coming soon!):

And here's what it looks like on your Microsoft account (Outlook, Xbox, OneDrive…):

Smart Password Lockout Of course, you already know that when our security system detects a bad guy trying to guess your password online, we will lock out the account. What you probably don't know is that we do lots of work to make sure that they only lock themselves out! Our systems are designed for determining the risk associated with a specific login session. Using this, we can apply lockout semantics only to the folks who aren't you. The only way *you* get locked out is if someone is guessing your passwords on your own machine or network. If you are locked out in Azure AD, it looks like this:

And in Microsoft account, it looks like this:

To see how effective this is at saving good users from disruption, check this out – more than half the time, we keep hackers from disrupting you or your users:

Those are just a few of the things we do on behalf of Azure AD Admins. If you are an Azure AD Admin, the most important thing you can do – as Robyn points out in the doc – is to make sure your users are all configured correctly for Azure MFA or better yet, start using something like Windows Passport, which is inherently multi-factor and will soon help get us (and you!) out of the password business altogether! Enjoy our password guidance – and be sure to let Robyn ( @robynhicock ) know what you think! Until next time – be safe! -Alex (@alex_t_weinert )