Microsoft has offered an alternative to complex passwords.

Microsoft’s research team has come up with a way to create passwords that are easy to remember, but the system in which the new approach will be used will not be more vulnerable to hackers.
Instead of using truly complex passwords that are used in the systems of most organizations, the new scheme checks that the same password is no more than a few users of the system at the same time, and the need to use complex passwords is lost without compromising the overall security of the system. .

Increasing the complexity requirements of passwords, for example, a password must be no shorter than 14 characters, contain at least two uppercase letters, two lowercase letters and three characters, prevent burglars from using the dictionary search technique when all passwords from the predefined dictionary of typical combinations are iterated.

Without these restrictions, people tend to choose passwords that are easy to remember, easy to type, and naturally, easier to pick up. Last year it was repeatedly reported about the loss of the password database by some social networks. The people who analyzed the lists report that most of them were trivial, such as sequences of numbers, vocabulary words, well-known names, etc.

Requirements that the password contain numbers, characters and mixed case of letters, significantly increase the number of possible variants of search. Under such conditions, recovering a password using a dictionary is often not feasible, but on the other hand it is difficult to remember such complex passwords. The circle is closed.
')
One of the ways that system designers try to deal with dictionary searching is to temporarily disable the account after several attempts to enter the wrong password. This is called account lockout and it is not surprising that hackers have discovered an easy way to get around this system. Instead of going through thousands or millions of passwords for one account, the attacker tries to log in using several of the most common passwords, but already on thousands and even millions of user accounts.

The new scheme proposed by Microsoft involves the abolition of password complexity requirements, while protecting accounts from hacking by brute force. The system simply counts the number of times users use the same password, and when several people start using the same password, that password is blocked and no one else can use it on this system. The scheme works on systems with a large number of users, for example, in mail systems.

This approach is described in a paper written by researchers Stuart Schercher and Cormac Hurley of Microsoft, and will be published in a collection of articles and presented at the August security conference in Washington.

Since passwords are not allowed to become common, the attacker is deprived of the opportunity to use popular passwords to attempt to crack a significant part of user accounts.
However, it is not reported about plans to introduce a new scheme in some Microsoft products. A scheme is published in order to get feedback from security experts from around the world.

In the past few years, researchers have found flaws in existing security systems. For example, quite often an account is blocked when a person enters his password with an error several times. Basically the number of attempts is three. But studies have shown that increasing this number to ten dramatically reduces the number of blocked legitimate users without much damage to the security of the system as a whole.

Often, in pursuit of the convenience and ease of use of their services, many organizations, including banks, use relatively primitive requirements for passwords. And the new system will be able to reconcile security specialists who insist on the use of complex passwords and those who care about the convenience of users when entering the system.

For information: Technology Review , Microsoft Research