Microsoft offers an alternative to complex passwords

Microsoft's research department has come up with a way to create passwords that are easy to remember, but the system that will use the new approach will not become more vulnerable to hackers.
Instead of using truly complex passwords that are used in the systems of most organizations, the new scheme verifies that no more than several users of the system have the same password at the same time, while eliminating the need to use complex passwords without compromising the overall security of the system .

Increasing password complexity requirements, for example, a password must be at least 14 characters long, contain at least two uppercase letters, two lowercase letters and three characters, and prevent crackers from using the dictionary search technique when all passwords from a pre-compiled dictionary of typical combinations are sequentially searched.

Without these restrictions, people tend to choose passwords that are easy to remember, easy to type in, and naturally easier to pick up. Last year, it was repeatedly reported that the password database was lost by some social networks. People who analyzed the lists report that most of them were trivial, such as sequences of numbers, vocabulary words, well-known names, etc.

Requirements for a password to contain numbers, symbols, and mixed case letters significantly increase the number of possible search options. Under these conditions, recovering a dictionary password is often not feasible, but on the other hand, such complex passwords are difficult to remember. The circle is closed.

One of the ways that system designers are trying to deal with dictionary lookups is to temporarily disable an account after several attempts to enter an incorrect password. This is called account lockout and it is not surprising that crackers have discovered an easy way to bypass this system. Instead of trying out thousands or millions of passwords for a single account, the attacker tries to log in using some of the most common passwords, but already on thousands and even millions of user accounts.

The new scheme proposed by Microsoft involves the abolition of the password complexity requirements, while protecting accounts from hacking by brute force. The system simply counts how many times users use the same password, and when several people start using the same password, this password is blocked and no one else can use it in this system. The scheme works in systems with a large number of users, for example, in mail systems.

This approach is described in a paper written by researchers Stuart Schercher and Cormack Hurley of Microsoft, and will be published in a collection of articles and presented at the August Security Conference in Washington.

Since passwords are not allowed to become widespread, the attacker is deprived of the opportunity to use popular passwords to attempt to crack a significant part of user accounts.
However, plans to introduce a new scheme in some Microsoft products have not yet been announced. And a scheme is being published in order to get feedback from security experts from around the world.

Over the past few years, researchers have found flaws in existing security systems. For example, quite often an account is blocked when a person enters his password with an error several times. Basically, the number of attempts is three. But studies have shown that increasing this number to ten dramatically reduces the number of legitimate users blocked without much damage to the security of the system as a whole.

Often, in the pursuit of the convenience and ease of use of their services, many organizations, including banks, use relatively primitive password requirements. And the new system will be able to reconcile security experts who insist on using complex passwords and those who care about the convenience of users when entering the system.

According to: Technology Review , Microsoft Research