Microsoft’s

Microsoft recently announced that it would begin banning weak passwords for a variety of its services and also...

introduced a feature called Smart Password Lockout to prevent attackers from guessing passwords. How is Microsoft banning these weak passwords, and how does the Smart Password Lockout work? Will these things benefit enterprises or just complicate matters?

Stealing passwords is big business in the world of cybercrime. One Russian hacker known as the Collector has recently been offering more than 250 million stolen usernames and passwords for Mail.ru, Yahoo Mail, Gmail, Hotmail and other accounts. Another hacker nicknamed Peace is advertising for sale a database of 167 million emails and hashed passwords belonging to LinkedIn users. As many people use the same username and password for multiple sites, their credentials can potentially provide easy access to social media accounts, online banking services and enterprise networks and resources. According to Microsoft's  Security Intelligence Report Volume 20, it detects more than 10 million credential attacks every day across its various identity systems.

When these big password lists come on to the market they are analyzed both by cybercriminals and security teams, such as Microsoft's Azure Active Directory Identity Protection team -- everyone is looking to see which passwords are the most common. Microsoft is using this information to dynamically update its banned list of common and similar weak passwords. Now, before a user's proposed password is accepted for her Microsoft Account or in Azure AD, it's compared against this list to ensure it's not present. If it is on the list, the user is prompted to choose a password that's harder for other people to guess. By preventing users from choosing common and easy to guess weak passwords, it will reduce the chances of their passwords being cracked by a rainbow table or dictionary-based, brute force attack.

On top of this feature, Microsoft is also introducing Smart Password Lockout to reduce the disruption caused by hackers trying to guess an account password online and triggering an account lockdown. When Microsoft's security system detects someone trying to guess a password online, it will only lock out that specific login session. This means when the genuine user tries to log in, the account is not locked, and as long as she enters the correct username and password, she can access her account. This will save huge amounts of time and frustration given the millions of attacks that occur each day. The only time a genuine user will be locked out is if someone is judged to be trying to guess her password while using the user's own machine or network.

Although many policies and online services try to enforce strong passwords by requiring users to choose a password with a minimum length and complexity, Microsoft has found that this forces people to standardize their passwords in order to remember them, making it easier for hackers to crack them. Preventing users from choosing common weak passwords will certainly improve the effectiveness of many password policies by ensuring passwords are more unique, and therefore harder to guess. Although these security features will certainly help improve password security, some users may struggle to remember harder passwords.

As bad passwords are a major weakness in endpoint security, enterprises should be moving to multifactor authentication (MFA), particularly when users need to access sensitive resources or information. MFA makes it a lot harder for a hacker to use stolen credentials to gain access to endpoint devices and the rest of the network. The presence of high quality cameras, microphones and fingerprint readers in many of today's devices means it's never been easier to implement. The FIDO specification supports a wide range of authentication technologies, including biometrics, USB security tokens and smart cards that can be deployed without extensive programming. Hopefully these technologies will help end the role of the password as the primary authentication factor.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Pick from the top multifactor authentication products

Find out how to protect your organization from bad passwords

Learn how to avoid data breaches with better passwords

This was first published in September 2016


SearchSecurity: Security Wire Daily News

Fuzzing as a service, from Microsoft

Ignite Microsoft's conviction that "fuzzing in the cloud will revolutionize security testing," voiced in a research paper six years ago, has taken form with the debut of Project Springfield: an Azure-based service for identifying software flaws by automatically subjecting the code to bad input.

Introduced at the Ignite conference in Atlanta, Georgia, on Monday, Project Springfield offers developers the ability to conduct continuous testing of binary files on virtual machines running atop Microsoft Azure, in order to identify and eliminate bugs.

Allison Linn, self-described writer and storyteller for Microsoft, says that Microsoft's research team thinks about Project Springfield as a "million-dollar bug detector" (not to be confused with the Million Dollar Homepage) because some software bugs cost that much to fix if left too long. Your costs may vary.

A 2002 study released by the US National Institute of Standards and Technology estimated that software bugs cost the US economy between $ 22.2 and $ 59.5 billion annually (more like $ 79 billion today). Catching bugs before software gets released presumably can bring repair costs down, if that's your goal.

Microsoft insists a third of the "million dollar" security bugs in Windows 7 were found using its "whitebox fuzzing" technology, referred to internally as SAGE (scalable, automated, guided execution). SAGE is one of the components of Project Springfield.

Like other announcements echoing around Silicon Valley these days, artificial intelligence comes into play. Microsoft says its system employs AI to ask questions and make better decisions about conditions that might cause code to crash.

Microsoft's whitebox fuzzing algorithm symbolically executes code from a starting input and develops subsequent input data based on constraints from the conditional statements it encounters along the way. The technology is distinct from blackbox fuzzing, which involves the sending of malformed input data without ensuring all the target paths have been explored. Blackbox fuzzing thus has the potential to miss a critical test condition by chance.

Fuzzing lends itself to cloud computing because fuzzing software can run different tests in parallel using large amounts of available infrastructure. But Microsoft researchers Patrice Godefroid and David Molnar, in their 2010 research paper, argue that such computational elasticity matters less than the benefits of shared cloud infrastructure.

"Hosting security testing in the cloud simplifies the process of gathering information from each enrolled application, rolling out updates, and driving improvements in future development," they wrote.

It also, it is claimed, simplifies billing. ®

Sponsored: IBM FlashSystem V9000 product guide


The Register - Security