(and Why It Doesn’t Protect You)
Relying on Microsoft’s Azure AD Password Protection feature to keep weak and compromised passwords out of your environment can leave your users and data at risk. Azure AD Password Protection ignores the vast majority of compromised and blacklisted passwords and doesn’t actively scan for bad passwords. Another problematic element of Azure AD Password Protection is its confusing score calculation – the way the feature evaluates “bad” passwords.
Every time a user changes or resets their password, Azure AD Password Protection will evaluate its weaknesses and assign a score based on specific criteria. The utility of this score is questionable, however, because even passwords that contain entries from their own Global Banned Password List can receive passing scores. (Forget about evaluating all other exposed passwords from data breaches!) In Microsoft’s own words, “Even if a user’s password contains a banned password, the password may be accepted if the overall password is otherwise strong enough.” Since Microsoft’s telemetry doesn’t explicitly include cracking dictionary values, it’s possible for users to select passwords or parts of passwords that appear in cracking dictionaries.
The Method to Their Madness: Azure AD Password Protection Score Calculation
According to Microsoft’s documentation, Azure AD Password Protection evaluates a new password “for strength and complexity by validating it against the combined list of terms from the global and custom banned password lists.” They create their Global Banned Password List by analyzing Azure AD security telemetry data to build a list of “base terms” discovered in weak passwords. Then, administrators can create a custom list of terms to ban from their organization. The score calculation feature relies on these two lists to determine how secure a newly configured password might be.
In step one, the proposed password is normalized. This means changing the uppercase letters to lowercase letters and performing a limited set of leetspeak character substitutions. For example, a zero becomes an “o”, a $ becomes an “s”, and @ becomes an “a”. Although this is a crucial password protection strategy, some of the most common variants aren’t accounted for, such as 1 for L or 4 for A.
Then, the normalized password is checked against the two lists to calculate a failing or a passing score:
If the password isn’t rejected, Azure AD Password Protection will calculate a score with its narrow point system. For each banned word within the new password, it receives a point. Another point is given for each remaining character not part of a forbidden term. Any password with a score of at least five points will be given the green light. Could you explain this to a user who wants to know why their password was rejected?
While these guidelines offer a basic level of protection, hackers can still gain access to accounts using variations of easy-to-guess passwords. As we know, weak and leaked passwords often lead to successful password spraying and ransomware attacks.
Microsoft Acknowledges the Need for a More Robust Password Solution
The use of stolen or compromised credentials is the most common cause of a data breach, according to IBM’s Cost of a Data Breach Report 2022. Microsoft’s password policy recommendations suggest that system administrators ban common passwords to ensure that at-risk passwords are kept out of the system. Given that AD Password protection doesn’t attempt to include compromised passwords or values from cracking dictionaries, it is not a powerful enough password solution to ensure your users do not select passwords that will make your system vulnerable to attack.
Microsoft also does not recommend mandatory periodic password resets or enforce character composition requirements; furthermore, their password protection feature does not continuously monitor passwords for exposure with up-to-date data breach intelligence.
Microsoft knows their users require a dynamic versus static password protection strategy. To successfully bridge this gap, Enzoic for Active Directory offers stronger protection than Azure AD Password Protection to safeguard the password layer of your authentication security stack. Our solution enables your team to automatically enforce password standards that align with industry recommendations and compliance standards, ensuring that your accounts, PII, and data stay secure. In addition, Enzoic continuously monitors for compromised passwords on the dark web and features automated remediation, so user accounts remain protected even if sensitive information is exposed in a breach.