A reason why organizations require you to create long and complex passwords is to prevent hackers from guessing  your passwords.

Hackers on the other no longer do dictionary attacks as that will lock the account that they are trying to hack. Instead they have a database of common passwords that they try across millions of accounts and they may hit the jackpot in some cases.

Microsoft researchers have therefore come up a different idea to deal with this problem. Instead of requiring people to create complex passwords, they look at how many people are currently using a password and it becomes too common, they ban people from using it.

The service simply counts how many times any user on the service chooses a given password. When more than a small number of users pick a password, the password is banned and no one else is allowed to choose it.

Since no passwords are allowed to become too common, attackers are deprived of the popular passwords they require to compromise a significant faction of accounts using online guessing.