Your Pa$$word doesn't matter - Microsoft Tech Community - 731984


20 bookmarks. First posted by mcguinness 7 days ago.


Every week I have at least one conversation with a security decision maker explaining why a lot of the hyperbole about passwords – “never - 731984
2 days ago by rdump

Every week I have at least one conversation with a security decision maker explaining why a lot of the hyperbole about passwords – “never use a password that has ever been seen in a breach,” “use really long passwords”, “passphrases-will-save-us”, and so on – is inconsistent with our research and with the reality our team sees as we defend against 100s of millions of password-based attacks every day. Focusing on password rules, rather than things that can really help – like multi-factor authentication (MFA), or great threat detection – is just a distraction.

On brute forcing passwords by trying to use stolen passwords on many user accounts.

The thing about password spray is that it is detectable, and once detected the login server can shut it down. The faster the criminals go, the faster they are detected, so low and slow is the order of the day. That means each guess is somewhat “precious” - attackers know they need to maximize their impact before they are detected, so they use histograms from existing leaks and use it to generate their attacks.

On cracking passwords from an exfiltrated user database. Has a good explanation of salt.

Ok, that leaves the last case, the one that gets people into creating really wacky password rules. That is the “what if the database is extracted?” case. This is a popular, scary attack to talk about.

In summary.

Your password doesn’t matter except for password spray (avoid the top guessed passwords with a dictionary checker of some kind) or brute force (use more than 8 characters, or use a password manager if you are *really* nervous). That’s not to say your password isn’t terrible. It’s *definitely* terrible, given the likelihood that it gets guessed, intercepted, phished, or re-used.
Your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.
security  microsoft  research  password  authentication  2fa 
5 days ago by jefframnani
Every week I have at least one conversation with a security decision maker explaining why a lot of the hyperbole about passwords – “never - 731984
5 days ago by jackpinboard
Every week I have at least one conversation with a security decision maker explaining why a lot of the hyperbole about passwords – “never - 731984
security  passwords 
6 days ago by geetarista
A list of the top threats to account security and an explanation of why your password is not pertinent to any of those. Explains the importance of MFA.
security  crypto  microsoft 
6 days ago by jittery
Every week I have at least one conversation with a security decision maker explaining why a lot of the hyperbole about passwords – “never use a password that has ever been seen in a breach,” “use really long passwords”, “passphrases-will-save-us”, and so on – is inconsistent with our via Pocket
IFTTT  Pocket 
7 days ago by egwillim