2022 shaped up to be an extremely successful year for cybercriminals. Data breaches are accumulating in unprecedented numbers, putting more and more information in the hands of bad actors. Cyberattacks this year have hit big players like Cash App and the Red Cross, as well as smaller companies around the world. Even small data breaches have a part to play in the larger landscape of compromised credentials. The technologies and tools we depend on to keep our businesses safe must be agile enough to take this continuously changing environment into consideration.
So, it’s surprising that Microsoft’s Azure AD Password Protection doesn’t. Users are told to depend on Microsoft’s password protection feature to detect and block the use of known weak passwords and their variants. Yet, it doesn’t check any available lists of compromised passwords or the vast majority of blacklisted passwords when it scans for weak passwords.
As Microsoft explains, “the global banned password list is based on the ongoing results of Azure AD security telemetry and analysis.” This means they are only collecting data from previous attacks against their infrastructure. Meanwhile, Microsoft ignores all the freely available data from past breaches. But you can bet hackers aren’t ignoring it. Additionally, Azure AD Password Protection takes a minimalist approach to blacklisting common dictionary words too.
All of this adds up to a lot of gaps in password security for any business that expects Azure AD Password Protection to safeguard their systems from these easily exploitable vulnerabilities.
The Threat of Data Breached Passwords
We’ll never be able to escape the fact that users are human, making human mistakes. As humans, we like what’s familiar to us. We remember what’s familiar to us. When it comes to passwords, this means that we go back to the same well of known character and number combinations over and over again. When passwords are exposed in data breaches, and users continue to employ those compromised credentials in your systems without you knowing, your organization becomes vulnerable. Criminals now have a better chance of getting into your systems with simple, widespread hacking methods like credential stuffing and password spraying.
Persistently, cybersecurity news is a litany of the latest and most crippling data breaches of our time. The costs of these attacks are soaring. IBM’s Cost of a Data Breach 2022 Report found that losses are still on an upswing, rising from an average of $4.24 million per breach in 2021 to $4.35 million in 2022. These numbers can’t even account for the domino effects of the original cyberattacks and the costs to organizations that are later breached with those stolen credentials. But we know stolen or compromised credentials were responsible for 19% of breaches this year, according to IBM’s report. If organizations take a more proactive approach to password security and a breach occurs, it costs the victim an average of $3.05 million less. Organizations with zero trust architecture also save. Breaches cost an average of $1 million less in these cases.
How Azure AD Password Protection Sidesteps the Obvious
NIST 800-63B password guidance tells us, “When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.” This specifically includes the compromised passwords obtained from previous breaches, along with dictionary words (and their variants), repetitive or sequential characters, and context-specific words.
Surprising as it may sound, Microsoft’s password solution doesn’t attempt to prevent the use of passwords that have already been exposed in previous breaches, despite what the NIST guidelines say. Their global banned password list doesn’t include all common dictionary words, either. It’s built on an extraordinarily truncated list of only 500 of the most commonly used passwords and their variants (like words with character substitutions). Microsoft’s own guidelines state that a strong password is “not a word that can be found in a dictionary or the name of a person, character, product, or organization,” but their own tool doesn’t follow this advice.
Azure AD Password Protection wouldn’t stop a user from creating a password from any of the thousands of common English words, let alone common dictionary words from other languages. By focusing on a minimal base terms password list, Azure AD Password Protection also doesn’t account for regional differences in popular passwords. They offer an option to create a custom banned list, but this is more so businesses can include things like brand names, not attempt to cover everything Microsoft is leaving out.
Shockingly, (or maybe not so shockingly) 44 million Microsoft Azure AD and Microsoft Services accounts were using compromised passwords. It seems that many are leaning too heavily on this password protection feature, leaving their accounts and systems open for cybercriminals to hijack. Tools like Enzoic for Active Directory make it incredibly simple to fill these security gaps, automatically cross-referencing your passwords against recent data breaches and keeping compromised credentials and blacklisted dictionary words (all of them) out of your systems. When it’s this easy to shore up your security, why settle for anything less?