Microsoft wants to end bad passwords on Xbox Live, Skype and its other services

Microsoft has announced some pro-active measures to help users of Xbox Live, Skype and its other online service stop using bad passwords.

The Microsoft Account system is the way people sign up to access Xbox Live, Skype, Office 365, OneDrive and other services run by the company. In a blog post (opens in new tab), Microsoft stated that the recent leak of over 100 million LinkedIn account details showed that many of their users had bad passwords, such as "password" "12345" and others:

When it comes to big breach lists, cybercriminals and the Azure AD Identity Protection team have something in common – we both analyze the passwords that are being used most commonly. Bad guys use this data to inform their attacks – whether building a rainbow table or trying to brute force accounts by trying popular passwords against them. What we do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won't work.

Microsoft account

This new setup is now live for all Microsoft Account users. The company says it will stop people from picking a commonly used password or one that is very similar.

John Callaham
  • Interesting. I wonder how well this would work out. I think the idea is great though.
  • That's a really good thing. Hopefully it's somehow hashed and salted before it's sent to Microsoft for analysis; even though it's being sent over HTTPS, there's still a chance of password leakage. I'm sure they figured something out.
    Edit: Darn spammers! At least a human was the first comment.
  • I can guarantee you at least 99.99% of websites don't hash passwords client-side.
  • its not possible (or rather pointless) to hash passwords client side because any strategy you use can be monkeyed with in the client browser, thus making the whole process untrustworthy.
  • Ha ha. Some serious stuff to give lethargic ones a tap on the back of their heads before they're out of the Secured League of Microsoft.
  • well 123456789 is bad but 12345679 is clever :P or why have your main password named password? O.o
  • Hi Panos , give us the Surface phone!
  • Hahahaha
  • they could start supporting 2FA for Skype. Outlook accounts have it, not regular Skype accounts, even if accounts are linked. And no way to delete a former Skype account after having "exported" contacts to the account. Skype accounts are a lot easier to hack than MS accounts, so if they're serious about security, they should add 2FA to Skype accounts.
  • 2FA = Two factor authorization.
  • Technically "authentication", but yeah.
  • Did they remove that retarded 16-character limit? Whoever thought that was a smart idea should be fired asap.
  • I've had a password longer than that for about six months now, so they must have removed it. I completely forgot that used to be a limitation.
  • Well xp was a limitation
  • Microsoft accounts were never used in XP, so I don't think it would have been the limitation.
  • the reason for it is SHA (Secure Hash Algorithm), it basically hashing your password to 1024 bits size (32 bytes), if your character is longer than a specific amount it might have a change to collide (means that password A SHA-ed result will equals to password B SHA-ed result), the max input size is (2^64) -1 bit. I think that Microsoft is afraid that it might have a chance that it will collide, so they limit the password length. Secondly, some user might put password too long and can't remember it, so Microsoft is trying to prevent this happen.
  • Ugh. If I want to leave my account open to be hacked then I should be able to. I hate these annoying requirements. Besides two step verification adds a significant stepping stone to hackers to get around. Posted via the Windows Central App for Android
  • They can try to end it all they want, but the more complicated they require, the more people will start reusing them. Sure, there are password managers out there, but helping people learn about two-factors authentication is a much longer term solution. I wish the Windows Phone app synced the the cloud. Also would be nice if they enabled two-factor support on the Xbox 360 so I don't have to generate an app password through the site.
  • I assume you mean syncing across devices? That's kind of against the point of two-factor authentication.
  • Depends on what they use for two-factor. A lot of accounts verify by phone number. an encryption key, or other things that aren't bound by device. Personally, I like the phone number, because you aren't likely to change it very often.  
  • Except then you have a chance of it being spammed
  • What do you mean?
  • Avoiding bad passwords is good for all. They can also prevent reusing the passwords on their sites. A password manager like LastPass is vital in today's world.