Microsoft researchers rethink password requirements

Picking a solid password and remembering it can be a challenge for anyone—even alleged Russian spies, as it turns out. According to Technology Review, Microsoft Researchers have thought up a new, rather interesting scheme to balance usability and security.

One of the Microsoft studies quoted by Technology Review suggests services only tend to raise password complexity requirements when they have no competition, since users can’t take their business elsewhere. Government sites are cited as one example. Surprisingly, the study found no correlation between "the value of a consumer’s account, the amount of attacks that the website suffered, and the complexity of the passwords that the website operators forced on their users."

With that in mind, Microsoft researchers propose a simple middle ground: allow users to pick simple passwords, but limit how many users can have the same password. That system would impede hackers who prey on popular services with large numbers of subscribers. While those services typically lock down accounts after a few erroneous login attempts, hackers still manage to break through by trying a handful of very common passwords across many accounts at once.

Don’t look for revised password rules on Windows Live Mail anytime soon, though; Technology Review says Microsoft has "no plans to implement the new scheme in any Microsoft products yet." (The researchers are only looking for feedback at this point.)

I’m not a big fan of overly elaborate password requirements myself, but I’m surprised more folks don’t think of using passphrases. Take a simple sentence: "I don’t like long passwords." It’s 24 characters long, contains upper- and lower-case letters and two non-alphanumeric characters, and isn’t hard to type or remember. Microsoft’s own password checker gives it top marks, too. Surely, encouraging the use of passphrases beats letting folks use "password" and "1234."

Comments closed
    • HammerSandwich
    • 12 years ago

    It can be worse than that. I’ve found sites that use different routines to validate a new password & a login attempt. Use special chars when creating the PW? No problem. Try to sign on with that new PW? Fail.

    • porov
    • 12 years ago

    BEST PASSWORD IS:

    the domain name:

    For gmail password should be

    gmail.com

    This is ultra strong password.

    However once someone finds this out he will know virtually all of your passwords.

    • TaBoVilla
    • 12 years ago

    I recall early web days when passwords had no requirements whatsoever you could use the exact same word as the username, or 4 characters. 1234, asdf, where my favorites lol

    • TaBoVilla
    • 12 years ago

    hacking your paypal right this instant

    • LoneWolf15
    • 12 years ago

    I always recommend to people that they use a word that reminds them of the account/site they have the account on, but then translate it to l33t-speak.

    Example site: Cars.com
    Example password – g3arshift

    You end up having a word you can remember, with the added security of numbers. For additional security, capitalize a letter.

    Another one that sometimes helps is the passphrase-first-letter option.

    Example phrase – I Have A Fish Named Eric

    Password – ihafne

    • cphite
    • 12 years ago

    So now, instead of just getting the “Sorry, that username is taken…” error, you’ll also get the “Sorry, that password is taken…” error too.

    • ludi
    • 12 years ago

    It appears to be “YTREWQ”. Unfortunately, someone got to your bank account before I did.

    • Dizik
    • 12 years ago

    1234….that’s almost the combination to my luggage!

    =Edit=
    Damn it….already beaten to the punch.

    • l33t-g4m3r
    • 12 years ago

    yup. can’t use dictionary attacks and passwords are easier to remember.

    • Fighterpilot
    • 12 years ago

    ATi’s Cypress GPU far outperforms NVidia’s more expensive,hot,loud Fermi at password cracking. :))

    • flip-mode
    • 12 years ago

    That is one… ultra… boring looking… global software leader headquarters building.

    • BenBasson
    • 12 years ago

    Password policies that lead to a minimum standard of password complexity aren’t really a problem in my experience, frequency of change, or requiring lots of passwords is far worse.

    The worst policy I’ve ever seen forces users to change their BIOS encryption password every 3 months and doesn’t allow you to set it to a custom word or phrase. It has to be a randomly generated sequence of lower case letters, exactly 9 characters in length – if you get something completely unmemorable, all you can do is hit the button to generate another.

    Once past the BIOS encryption, you have a separate Windows password, which also has to be changed every 3 months and has to be different, as the password policy requires numbers and characters (not an option at BIOS level).

    A tactic I often use for systems where I can enter whatever password I like (within policy) is to mix characters and symbols, then in one or more places, have a number that increments every time you have to set a new password. A crude example: [email protected], [email protected], [email protected] For variation, count down instead of up, double or halve each time, etc. It’s an easy to remember rule.

    • paulWTAMU
    • 12 years ago

    part of the problem is how freaking often I have to change various passwords.
    My voicemail password is changed once a month.
    My remote login, once every 60 days
    my password to our database is either 60 or 90 (can’t remember)

    • OffBa1ance
    • 12 years ago

    I use passwordmaker, which I assume is a similar program. Generates a unique password for everysite based on url and master password

    • 5150
    • 12 years ago

    I’d love to use mine on my Dell E6410, but the software to use it is insanely bloated. Windows needs to get this integrated better, or Dell needs to do a better job keeping their software from blowing up my system performance.

    • 5150
    • 12 years ago

    That’s amazing. I’ve got the same combination on my luggage!

    • MixedPower
    • 12 years ago

    That’s the kinda thing an idiot would have on his luggage!

    • GTVic
    • 12 years ago

    Those fingerprint scanners on laptops work fairly well. Why don’t they bring those to the desktop, improve the software, build it into windows, etc…

    • bcronce
    • 12 years ago

    it isn’t about having a phrase be as strong as random chars of the *same* length, but just to have a certain strength.

    Same could be said about public/symmetric key encryption. a 256 symmetric key can easily be stronger than a 4096bit public key, but a public key is more convenient and *strong enough*

    • miken
    • 12 years ago

    zOMG Cryll why did you publish my ATM PIN on the internets!!!!!

    • kamikaziechameleon
    • 12 years ago

    back in high school I used QWERTY, but I’ve now come up with a amazing random standby that is quick to type(my requirement for a good password)

    • Shinare
    • 12 years ago

    As dorky as l337-sp34k !z, it sure can make some tough pass phrases. I use them almost exclusively for mine.

    • indeego
    • 12 years ago

    Keepass/password manager. I don’t know 99% of the passwords I use. No password is used the same place twice.

    Just remember one long/complex password to get into keepass, and you’re setg{<.<}g

    • djgandy
    • 12 years ago

    ZQFMGB is easy even if you brute force sweep the a-z, A-Z space.

    Anything less than 8 characters can be cracked in seconds these days.

    I see your point but brute forcing combinations of words still takes forever so long as a user uses 5+ words.

    • crabjokeman
    • 12 years ago

    That’s probably better than using ‘password’

    • ludi
    • 12 years ago

    The problem with a passphrase is that, by its own structure, it is likely to contain real words, which, when known to be such, require less time to roll through than a truly random password of the same length.

    A basic p/w checker will be looking at things like length and proportions of letters to numbers to non-alphanumeric symbols. But a basic p/w cracker will try to operate on known principles of human behavior, and if segments of a password are likely to be known words from a particular language, then for complexity, each /[

    • Spotpuff
    • 12 years ago

    The most difficult thing is not remembering 1 password at a time, but remembering a “strong” password for every site with different password requirements.

    Dell, for example, doesn’t allow special characters in their passwords.

    I have like 5 at work alone.

    • lithven
    • 12 years ago

    The problem with passwords such as “I don’t like long passwords.” is that the first time I would try that I’d get a dialog which says “Your password must be between 8 and 14 characters.” Then I would shorten it to “No like words.” and would be told “The following characters are not permitted <space> . , ? ! % # $ *.”

    • 5150
    • 12 years ago

    I use “12345”.

    • 5150
    • 12 years ago

    Password complexity is probably one of the biggest complaints at my office. I’d tell you how strict it is, but it simply isn’t, but damn people complain! Before I got here they didn’t even have passwords. *facepalm*

    • TheEmrys
    • 12 years ago

    The thought of having a database of the most popular passwords scares the bajeebus out of me. At that point, you could have a top 100 list of passwords and an attack of simply trying all 100 until it finds an account it yields results on would be rather scary.

    • jdaven
    • 12 years ago

    Take a simple sentence: “I don’t like long passwords.”

    Ugh, now I have to go and change all my passwords. Thanks, TR. 🙁

Pin It on Pinterest

Share This

Share this post with your friends!