Once upon a time, a strong password was a fixed concept. If a password had the right mix of characters – capital and lowercase letters, at least one number, and a symbol – it was considered strong. And a password defined as strong would always be so. This is no longer the case. As we know today, compromised credentials have changed the game. Bad actors can now access an unprecedented amount of stolen credentials and pre-built cracking dictionaries from marketplaces on the dark web. One of your users could create an algorithmically strong password one day, and a hacker might immediately expose the same password as part of a 3rd party data breach the following day, leaving your organization vulnerable. This is why we need robust cybersecurity solutions in place that take this new threat landscape seriously. One way to help protect your business systems from a breach is continuously monitoring Active Directory for compromised passwords.
Unfortunately, some free password policy tools and features out there tout password protection without actively monitoring if user credentials become compromised. This is a big problem if businesses believe their passwords are protected when, in fact, they are – at most – being passively checked against a limited blacklist every so often. Free features like Microsoft’s Azure AD Password Protection don’t actively monitor for passwords from data breaches, putting entire business systems at risk.
Blacklisted Passwords are Blacklisted for a Reason
When advanced password screening solutions like Enzoic for Active Directory develop password blacklists, we pull the data from many different sources and use many different collection methods: infiltrating private exchanges, intercepting hacker communications, obtaining dumped data breaches, honeypots, and much more.
We live in a world full of data breaches, and your employees will reuse passwords they’ve utilized on other third-party sites. One Google survey found that 65% of people reuse the same password across multiple, if not all, accounts! When any of those websites is breached, those username and password pairs are out in the wild for any hacker to add to their repertoire of cracking lists. As soon as a data breach occurs and your user’s password is exposed, your system should automatically alert them and have them reset their password.
Microsoft’s Azure AD Password Protection does not continuously monitor your systems to detect when an existing password becomes compromised. The effort it takes to provide a comprehensive service that continually collects and updates this data is beyond their simple implementation. Microsoft only checks a user’s password when it is created or reset. Even then, the list it checks against is not from the most recent data breaches. Azure AD Password Protection’s global banned password list ignores compromised passwords from 3rd party data breaches that should be blacklisted.
What Happens When You Only Check Passwords During Reset
Even if your banned password list were comprehensive and robust, checking credentials against it only during password selection is not a viable cybersecurity strategy. If the current threat landscape means that rogue actors have access to passwords from data breaches all over the world, then cybercriminal activity will quickly outpace Microsoft’s passive approach. Yes, you should check passwords during selection, but that can’t be the only time you’re screening for vulnerabilities in your users’ passwords. Blacklists are evolving at a record pace, and anytime your system leverages a stolen credential for protection, you’re at risk.
Microsoft Discourages Password Expiration – So When Do Passwords Get Checked???
Perhaps Microsoft expects the vulnerable password to expire after some time, limiting the window of opportunity for a hacker to leverage it for unauthorized access. Actually, no. This can’t be the case because their position on password expiration is that it “is an ancient and obsolete mitigation of very low value.” Since 2019, Microsoft ‘s own password policy guidelines for administrators suggest eliminating the requirement for mandatory periodic password resets. This follows advice from NIST, FTC, and others who recommend deferring forced password reset until there is evidence that the password has become compromised.
The recommendation to eliminate password expiration is correct because research shows that arbitrary password expiration actually makes passwords more vulnerable. It encourages users to create easier and easier-to-guess passwords over time. Microsoft has fully embraced these recommendations by improving their “identity secure score” for organizations that do not allow passwords to expire in their system.
But it begs the question – if Azure AD Password Protection only checks passwords against their list of banned passwords upon selection and reset, how often are their passwords being monitored?
The answer, of course, is extremely rarely.
If you eliminate periodic password expiration, you need continuous password monitoring to alert users when their passwords and credentials show up in a data breach. Azure AD Password Protection encourages its users to remove periodic password resets without the protection of an active, real-time monitoring capability. Enzoic for Active Directory allows organizations to continuously monitor credentials and automatically remediate when they’ve been exposed.