Instead of forcing users to use complex passwords — many sites and corporate networks do this —, Microsoft focuses on reducing the number of users with the same password. TechnologyReview reports that this should eventually lead to a similarly high security level as complex passwords.
With its approach, Microsoft Research wants to eliminate the need for complex combinations of letters, digits, special characters, upper- and lower case. The trick is to count: How many users are using the same passwords? As soon as this number gets higher than a defined threshold, new users cannot use this password anymore.
With access systems that have very many users, a certain complexity of passwords is ensured, so attackers cannot use commonly used, simple passwords to hack into accounts. Further, dictionary attacks can only be run at a very small level.
The researcher’s goal is an increased usability of login systems without making security worse. Currently, there are no plans yet to implement the research results in Microsoft services. At first, Microsoft wants to get feedback for this concept by security experts.