Blog Post

Microsoft Entra Blog
2 MIN READ

Azure AD Password Protection is now generally available!

Alex_Simons's avatar
Alex_Simons
Icon for Microsoft rankMicrosoft
Apr 02, 2019
Howdy folks!   Many of you have already been using Azure AD Password Protection in public preview. Azure AD Password Protection allows you to eliminate easily guessed passwords and customize lock...
Updated Jul 24, 2020
Version 8.0
Product Announcements
Alex_Simons's avatar
Icon for Microsoft rankMicrosoft
Joined May 01, 2017
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.
Rohini Goyal's avatar
Rohini Goyal
Brass Contributor
Apr 02, 2019

Hey Carlos,

 

Great Questions!

 

Let me start by saying - this feature is really all about preventing password guessing. Attacks like phishing, keystroke logging, and third party breach are really password independent, and database breaking (e.g. getting an offline copy of the data for brute forcing) is a completely different sort of threat. So focusing now on password guessing - most of this is done today via low-and-slow attacks across multiple customers and tens of thousands of accounts, but using only a few passwords (we typically detect and shut down the attack very quickly, and rate limiting and lockout technologies provide further friction to attackers).

 

So: we are trying to keep your users from having passwords that can be guessed.

 

  1. [Can you change # of points required] We have looked at it, but our focus right now is ensuring that the algorithm we use defeats *all* guessing attacks as described above. We have been working with the red teams of some great preview customers to help us get this right. Rather than asking you to tweak the algo, we want to just do it right. If the current thresholds aren't doing the trick, we'd rather make it stronger for *everyone* (without adding friction just for "security theater"). We’ve updated the global banned password list and the banned password algorithm many times during the course of public preview. These changes will help expand the set of passwords being blocked. But if you are finding that there are patterns/guesses that the current algo isn't blocking, we would LOVE for you to reach out to us here or DM our GPM Alex Weinert on Twitter (@alex_t_weinert) , so that we can tune it further.

 

  1. [How does it work?] In a nutshell, what we are doing is analyzing our current attackers' patterns and maintaining a shorter (~2000 word) base banned word list. From there, we normalize for case and common substitutions (so "P@$$w0rD" becomes "password") and ban all of those permutations. Any matches here are collapsed for point value, so while you can use a string like password or 123 in a password, there has to be enough entropy around it to make it a valid password, e.g. "123asd*%spasswordV$" would be allowed. The algorithm is fully outlined https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad#global-banned-password-list. We don’t need to have every single weak password combination in the global list because the algorithm will take care of that for us. Additionally, blocking all passwords previously seen for any user is problematic – users will get frustrated coming up with a password no-one else has every thought of.

 

Broadly, I think that excessively strict rules do harm, not good - you are forcing people to rely on cut and paste, killing usability, etc. What we really need is client device bound credentials which use PKI to transmit non-replayable, cryptographically strong nonces for login and break the back of all of these password vulnerabilities (FIDO2!) - in the meantime, we want to prevent password guessing without generating unnecessary user friction. Check out https://aka.ms/passwordguidance for the studies that back this.

 

Thanks,

Rohini