Connecting Technology and Business.

Microsoft Password Guidance

Microsoft has come up with recommendations for password management based on current research and lessons from their own experience as one of the largest Identity Providers (IdPs) in the world. It covers recommendations for end users and identity administrators.

Microsoft sees over 10 million username/password pair attacks every day. This gives Microsoft a unique vantage point to understand the role of passwords in account takeover. The guidance provided here is scoped to users of Microsoft’s identity platforms (Azure Active Directory, Active Directory, and Microsoft account) though it generalizes to other platforms.


Summary of Recommendations

Advice to IT Administrators

Azure Active Directory and Active Directory allow Enterprises to support these recommendations:

1. Maintain an 8-character minimum length requirement (and longer is not necessarily better).

2. Eliminate character-composition requirements.

3. Eliminate mandatory periodic password resets for user accounts.

4. Ban common passwords, to keep the most vulnerable passwords out of your system.

5. Educate your users not to re-use their password for non-work-related purposes.

6. Enforce registration for multi-factor authentication.

7. Enable risk based multi-factor authentication challenges.


Advice to Users

Create a unique password for your Microsoft account

The security of your Microsoft account is important for several reasons. Personal, sensitive information may be associated to the user account such as their emails, contacts, and photos. In addition, other services may rely on their email address to verify their identity. If someone gains access to their email, they may be able to take over the user's other accounts too (like banking and online shopping) by resetting their passwords by email.


User Tips for creating a strong and unique password:

  • Don’t use a password that is the same or similar to one you use on any other website. A cybercriminal who can break into that website can steal your password from it and use it to steal your Microsoft account.
  • Don’t use a single word (e.g. “princess”) or a commonly-used phrase (e.g. “Iloveyou”).
  • Do make your password hard to guess even by those who know a lot about you (such as the names and birthdays of your friends and family, your favorite bands, and phrases you like to use).
Keep the security info up to date

Current security info (like an alternate email address or phone number) helps us to verify the user's identity if they forget their password or if someone else tries to take over their account. Microsoft never uses this info to spam the user or to try to sell them something.

Watch for suspicious activity

The Recent activity page helps the user to track unusual or suspicious activity. The user can see their latest sign-ins and changes to their account. If they see something wrong or unfamiliar, they can click "This wasn’t me" and Microsoft will take the user through a few steps to change their password and review the security info on their account.

Turn on two-step verification

Two-step verification boosts account security by making it more difficult for hackers to sign in—even if they know or guess the user's password.

If the user turns on two-step verification and then try to sign in on a device Microsoft doesn’t recognize, Microsoft will ask the user for two things:

  1. The user's password.
  2. An extra security code.

Microsoft can send a new security code to the user's phone or their alternate email address, or they can get one through an authenticator app on their smartphone.

Keep the operating system, browser, and other software up to date

Most service and app providers release security updates that can help protect users' devices. These updates help prevent viruses and other malware attacks by closing possible security holes.

If the user is using Windows, in order to receive these updates automatically, he / she has turn on Windows Update.

Be careful of suspicious emails and websites

The users are advised not to open email messages from unfamiliar senders or email attachments that they don't recognize. Viruses can be attached to email messages and might spread as soon as they open the attachment. It's best not to open an attachment unless they expected to receive it. They should also be careful when downloading apps or other files from the Internet, and make sure they recognize the source.

Install an antivirus program on your computer

Hackers can steal passwords through malware (malicious software) that's been installed on users' computer without their knowledge. For example, sometimes malware is maliciously downloaded with something they do want, like a new screen saver. The user has to take the time to check and clear their computer of viruses or malware before they change their password.

Is your computer running Windows?

Great! Windows Defender is free anti-malware software built-in to Windows 8 and Windows 10. It updates automatically through Windows Update. If the user is running an earlier version of Windows, they can download and install Microsoft Security Essentials for free.

After the user installs an antivirus program, they should set it to regularly get updates and scan their computer.

Gleaned from a paper from - Microsoft Identity Protection Team