Does Microsoft's "Password Ban" list insecurely store user passwords?

We, at Microsoft, are banning the passwords most commonly used in the attacks and nearby variants. We aren't basing this on our user populations, who (because of the system) don't share these passwords unless the attacks change.

The attack lists generally derive from studying breaches. Attackers are smart enough to look at lists to figure out high probability passwords, then do their brute force, etc. around those high frequency words. We look at the same lists plus the attack patterns to determine our ban lists.

Hope this helps.

A system that checks existing account passwords before deciding to block a new user's password as "too common" would, in fact, be self-defeating. You would not only be letting a user or attacker know that in fact the password is valid for some accounts, but that's it's valid for a lot of accounts. Specifically, the commonality threshold value - 1 of them.

So, the approach described in the article is in fact the approach that Microsoft is using to ban common passwords for Microsoft Accounts and Azure AD. It's a combination of known common and/or weak passwords, passwords that are commonly used in brute-force access attempts, and variations on those passwords that are determined to be too similar.