Microsoft
MicrosoftDavidLos , you wrote "App Passwords will also be disabled for Outlook.com accounts, leaving any form of basic auth does indeed leave vectors open for password spray attacks"
I am reading the definition of password spraying here https://www.keepersecurity.com/threats/password-spraying-attack.html :
Password spraying, also known as a password spray attack, is when an attacker uses common passwords to attempt to access several accounts on one domain. Using a list of common weak passwords, such as 123456 or password1, an attacker can potentially access hundreds of accounts in one attack.
There is no way Application Passwords can be used for Password Spray Attack. Application Password is a random string of 16 characters. It is neither common password neither weak password. App Passwords are pretty secure and used by users who know what they are doing. They are used in various scripts, programs, console clients, and some IoT devices. They can't be used by social engineering attack in most cases because users do not remember them and generate new app password when they forget old one. I do not see the situation when application password can be used as an additional attack vector (except, possibly, the case when attacker targets specific mailbox with billions passwords per second, but this attack should be immediately stopped in any case).
Total number of combinations is 43,608,742,899,428,874,059,776
It would take approximately 1,381,877,674 years to try all 43,608,742,899,428,874,059,776 combinations at a rate of 1,000,000 combinations per second.
I do not think we have a security issue here.
I just wanted to ask if Microsoft could keep the Application Passwords feature around. It’s very helpful for apps and devices that are incompatible with OAUTH2, and, in some cases (console utilities) OAUTH2 can't be used at all. Dropping this feature could make things a bit tricky (if not impossible).
By the way, application passwords already do not work on some devices.
