In a previous Our Thoughts on Article, we described a threat to organizations known as password spraying, in which an attacker attempts to login to all usernames the attacker is aware of with a single password. The attacker, with a large array of user logins, attempts to find an account with a commonly guessable password, whether it be a frequently used password or one related to the company being attacked. One of the best ways to avoid common passwords is to ensure users create passwords that are not easily guessable. Many organizations’ password requirements and restrictions—despite being robust—occasionally also fail to keep user passwords from being easily guessed, such as “Spring2019!” or “Passw0rd!” and so on.
If your organization utilizes Office 365 with Azure AD integration (whether fully in the cloud or with a hybrid on-premises and cloud environment), Microsoft has released a new feature to help users create stronger passwords. On April 2nd, 2019, Microsoft made Azure AD Password Protection generally available to organizations with either Azure AD Premium P1 or P2.
This new software feature enables organizations to configure AD Password Protection on ID’s and prevent usage of a global password list. Microsoft continues to develop this list by reviewing publically known breached password listings. While Microsoft does not provide details on the passwords contained within the global password list, Microsoft has indicated that they continually update the list based on the ever-changing threat environment. Additionally, organizations can establish an additional layer of prevention by providing their own custom password listings in the AD Password Protection configuration. This allows an organization to prohibit passwords that use their own name, commonly known information about the organization or any other passwords for which the organization may have concerns.
Azure AD Password Protection also performs a three-step process to check for similar passwords to the blocked global or custom password list:
Step 1: The password will be normalized (changing an “@” -> “a” or a “0” -> “o”) to check for users performing simple character replacements.
Step 2: The software will check for fuzzy matching of a banned password by seeing if a character was changed by a distance of 1 (“1” -> “2” or “a” -> “b”)
Step 3: The software will check to see if a banned password is contained within a longer password.A banned password counts as 1 point in a required 5 point scoring system.A banned password is considered acceptable if the password contains an additional 4 unique characters before or after it, to obtain the additional required 4 points (where each unique character counts as 1 additional point).
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.