Loading...
Reload document 
Open in new tab Microsoft Password Guidance
Robyn Hicock, rhicock@microsoft.com
Microsoft Identity Protection Team
Purpose
This paper provides Microsoft’s recommendations for password management based on current research
and lessons from our own experience as one of the largest Identity Providers (IdPs) in the world. It
covers recommendations for end users and identity administrators.
Microsoft sees over 10 million username/password pair attacks every day. This gives us a unique
vantage point to understand the role of passwords in account takeover. The guidance in this paper is
scoped to users of Microsoft’s identity platforms (Azure Active Directory, Active Directory, and Microsoft
account) though it generalizes to other platforms.
Summary of Recommendations
Advice to IT Administrators
Azure Active Directory and Active Directory allow you to support the recommendations in this paper:
1. Maintain an 8-character minimum length requirement (and longer is not necessarily better).
2. Eliminate character-composition requirements.
3. Eliminate mandatory periodic password resets for user accounts.
4. Ban common passwords, to keep the most vulnerable passwords out of your system.
5. Educate your users not to re-use their password for non-work-related purposes.
6. Enforce registration for multi-factor authentication.
7. Enable risk based multi-factor authentication challenges.
Advice to Users
Create a unique password for your Microsoft account
The security of your Microsoft account is important for several reasons.
Personal, sensitive information may be associated to your account such as
your emails, contacts, and photos. In addition, other services may rely on your
email address to verify your identity. If someone gains access to your email,
they may be able to take over your other accounts too (like banking and online
shopping) by resetting your passwords by email.
Tips for creating a strong and unique password:
• Don’t use a password that is the same or similar to one you use on any other
website. A cybercriminal who can break into that website can steal your
password from it and use it to steal your Microsoft account.
• Don’t use a single word (e.g. “princess”) or a commonly-used phrase (e.g.
“Iloveyou”).
• Do make your password hard to guess even by those who know a lot about
you (such as the names and birthdays of your friends and family, your favorite
bands, and phrases you like to use).
Current security info (like an alternate email address or phone number) helps
us to verify your identity if you forget your password or if someone else tries
to take over your account. We never use this info to spam you or to try to sell
you something—promise!
Keep your security info up to date
Watch for suspicious activity
The Recent activity page helps you track unusual or suspicious activity. You can
see your latest sign-ins and changes to your account. If you see something
wrong or unfamiliar, click “This wasn’t me” and we’ll take you through a few
steps to change your password and review the security info on your account.
Turn on two-step verification
Two-step verification boosts account security by making it more difficult for
hackers to sign in—even if they know or guess your password.
If you turn on two-step verification and then try to sign in on a device we don’t
recognize, we’ll ask you for two things:
• Your password.
• An extra security code.
We can send a new security code to your phone or your alternate email
address, or you can get one through an authenticator app on your
smartphone.
Keep your operating system, browser, and other software up to date
Most service and app providers release security updates that can help protect
your devices. These updates help prevent viruses and other malware attacks
by closing possible security holes.
If you’re using Windows, in order to receive these updates automatically, turn
on Windows Update.
Be careful of suspicious emails and websites
Don’t open email messages from unfamiliar senders or email attachments that
you don’t recognize. Viruses can be attached to email messages and might
spread as soon as you open the attachment. It’s best not to open an
attachment unless you expected to receive it. You should also be careful when
downloading apps or other files from the Internet, and make sure you
recognize the source.
Install an antivirus program on your computer
Hackers can steal passwords through malware (malicious software) that’s been
installed on your computer without your knowledge. For example, sometimes
malware is maliciously downloaded with something you do want, like a new
screen saver. Take the time to check and clear your computer of viruses or
malware before you change your password.
Is your computer running Windows?
Great! Windows Defender is free anti-malware software built-in to Windows 8
and Windows 10. It updates automatically through Windows Update. If you’re
running an earlier version of Windows, you can download and install Microsoft
Security Essentials for free.
After you install an antivirus program, you should set it to regularly get
updates and scan your computer.
The public help article with tips on how to make your Microsoft account more secure is here.
Acknowledgements
Special thanks to all of the people below for their input and help on this paper.
Alex Weinert, Group Program Manager, Identity Protection
Alex Simons, Partner Director Program Management, Identity
David Treadwell, Corporate Vice President, Identity
Stuart Schechter, Researcher, Microsoft Research
Cormac Herley, Researcher, Microsoft Research
Brian Puhl, Program Manager, Identity and Security Operations
Sparky Toews, Program Manager, Identity Services
Daniel Kondratyuk, Program Manager, Identity Protection
Michael McLaughlin, Program Manager, Identity Protection
Daniel Edwards, Security Software Engineer, C+E Security Engineering
Contents
Purpose ……………………………………………………………………………………………………………………………………… 1
Summary of Recommendations …………………………………………………………………………………………………….. 1
Advice to IT Administrators ………………………………………………………………………………………………………. 1
Advice to Users ……………………………………………………………………………………………………………………….. 1
Acknowledgements ……………………………………………………………………………………………………………………… 4
Understanding the Recommendations …………………………………………………………………………………………… 7
Guidelines for Administrators ……………………………………………………………………………………………………….. 7
Anti-Patterns: Some common approaches and their negative impacts …………………………………………… 7
1. Anti-Pattern #1: Requiring long passwords ………………………………………………………………………….. 8
2. Anti-Pattern #2: Requiring the use of multiple character sets ………………………………………………… 8
3. Anti-Pattern #3: Password expiry for users ………………………………………………………………………….. 9
Successful Patterns ………………………………………………………………………………………………………………….. 9
1. Banning common passwords ……………………………………………………………………………………………… 9
2.
3.
4.
Educating users not to reuse organization credentials anywhere else …………………………………… 10
Enforcing Multi-Factor Authentication registration …………………………………………………………….. 10
Enabling risk based multi-factor authentication ………………………………………………………………….. 11
Guidance for Users …………………………………………………………………………………………………………………….. 11
1. Never use your Microsoft account password on other sites …………………………………………………. 11
2. Always maintain up-to-date security info …………………………………………………………………………… 12
3.
Install the Microsoft account application …………………………………………………………………………… 12
4. Consider turning on two-step verification everywhere you can ……………………………………………. 12
5. Don’t use personal info or common words or phrases ………………………………………………………… 13
6. Keep your operating system, browser, and other software up-to-date………………………………….. 13
7. Be aware and careful of suspicious emails and websites ……………………………………………………… 14
8.
Install an antivirus program on your computer …………………………………………………………………… 14
9. Use Microsoft Passport and Windows Hello……………………………………………………………………….. 15
10.
Use high quality, trusted identity providers ……………………………………………………………………. 15
Types of Password Acquisition Attacks …………………………………………………………………………………………. 16
Data Breaches ……………………………………………………………………………………………………………………….. 16
Phishing ………………………………………………………………………………………………………………………………… 16
Spear Phishing ……………………………………………………………………………………………………………………. 16