As Microsoft pats itself on the back for its crackdown on easily cracked passwords, keep this in mind: a quick check shows users still have plenty of leeway to make poor choices. Like “Pa$$w0rd” (excluding the quotation marks).
As a Microsoft program manager announced earlier this week, the Microsoft Account Service used to log in to properties such as Xbox Live and OneDrive Azure has been dynamically banning commonly used passwords during the account-creation or password-change processes. Try choosing “12345678,” “password,” or “letmein”—as millions of people regularly do—and you’ll get a prompt telling you to try again. Microsoft is in the process of adding this feature to the Azure Active Directory so enterprise customers using the service can easily stop employees from taking security shortcuts, as well.
But a quick check finds it’s not hard to get around the ban. To wit: “Pa$$w0rd1” worked just fine. And in fairness to Microsoft, Google permitted the same hopelessly weak choice.
Saving users from themselves This shouldn’t be taken as a criticism of Microsoft or Google. Blacklisting weak passwords at the platform level is probably one of the most effective measures service providers can take to improve passcode strength. But the measure is…