Microsoft if battling weak passwords by banning those most commonly used passwords – as found in lists of breached user accounts:
Azure Active Directory’s 10 million or so users will no longer be able to select a password that’s appeared too many times on breach lists, or commonly appears in attackers’ login attempts.
The new regulation is already live in Microsoft Account Service and in private preview in Azure Active Directory, Redmond says in this Technet post.
“What we do with the data is prevent you from having a password anywhere near the current attack list, so those attacks won’t work”, Alex Weinart writes.
The Microsoft post reiterates that the old beliefs about passwords are already obsolete: password length requirements, password “complexity” requirements, and periodic password expiration all need to be jettisoned because they make passwords less secure.