In a previous Our Thoughts on Article, we described a threat to organizations known as password spraying, in which an attacker attempts to login to all usernames the attacker is aware of with a single password. The attacker, with a large array of user logins, attempts to find an account with a commonly guessable password, whether it be a frequently used password or one related to the company being attacked. One of the best ways to avoid common passwords is to ensure users create passwords that are not easily guessable. Many organizations’ password requirements and restrictions—despite being robust—occasionally also fail to keep user passwords from being easily guessed, such as “Spring2019!” or “Passw0rd!” and so on.
If your organization utilizes Office 365 with Azure AD integration (whether fully in the cloud or with a hybrid on-premises and cloud environment), Microsoft has released a new feature to help users create stronger passwords. On April 2nd, 2019, Microsoft made Azure AD Password Protection generally available to organizations with either Azure AD Premium P1 or P2.
This new software feature enables organizations to configure AD Password Protection on ID’s and prevent usage of a global password list. Microsoft continues to develop this list by reviewing publically known breached password listings. While Microsoft does not provide details on the passwords contained within the global password list, Microsoft has indicated that they continually update the list based on the ever-changing threat environment. Additionally, organizations can establish an additional layer of prevention by providing their own custom password listings in the AD Password Protection configuration. This allows an organization to prohibit passwords that use their own name, commonly known information about the organization or any other passwords for which the organization may have concerns.
Azure AD Password Protection also performs a three-step process to check for similar passwords to the blocked global or custom password list:
Step 1: The password will be normalized (changing an “@” -> “a” or a “0” -> “o”) to check for users performing simple character replacements.
Step 2: The software will check for fuzzy matching of a banned password by seeing if a character was changed by a distance of 1 (“1” -> “2” or “a” -> “b”)
Step 3: The software will check to see if a banned password is contained within a longer password.A banned password counts as 1 point in a required 5 point scoring system.A banned password is considered acceptable if the password contains an additional 4 unique characters before or after it, to obtain the additional required 4 points (where each unique character counts as 1 additional point).
The Azure AD Password Protection software is an easy and free way for users with Azure AD Premium P1 or P2 to offer an extra layer of user password complexity beyond the standard mix of characters and minimum length to which users are accustomed. To enable these features, simply go to the Authentication Methods under Azure Active Directory in your Azure cloud environment. Additional details on setting up the service can be found in the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-Password-Protection-is-now-generally-available/ba-p/377487