I was asked to answer four questions:
Are there any security risks associated with Microsoft analysing passwords like this?
There is very little risk, as we are trusting Microsoft to store and secure that password, as it will need to be check every time it’s used. Like all other systems, it’s just an algorithm to check how the password is structured.
Why is Microsoft doing this now and not a long time ago?
Insecure passwords have been a problem since there was a need for passwords. SplashData do an annual review of the worse passwords people use and typically users will be blamed for using these sorts of passwords. It is the provider/administrator that sets the stipulation of the password structure, so insecure passwords are due to bad standards. Cybersecurity and data compromises are more common place, so it is good that Microsoft is taking action.
Is this a good idea?
It is definitely a good idea to increase the security of passwords, but if Microsoft were taking security more seriously, I’d want to see the use of two factor authentication.
Won't people just forget complex passwords more easily?
If the complexity increases too much then passwords will be written down. The user needs to consider a move to a secure password vault, or the supplier needs to look to two factor authentication.