Predictable, easy-to-guess passwords are often the weak link that ends up breaking the security chain and attackers know this.
“They know to account for character substitutions like ‘$’ for ‘s’. They also that if there are complexity rules, most people will apply them in the same way: by starting a word with a capital letter and ending the password with a digit or punctuation. They know that requiring users to change their passwords periodically leads to other predictable patterns,” says Alex Simons, Director of Program Management at the Microsoft Identity Division.
So Microsoft is making sure that Azure AD and Windows Server Active Directory customers can prevent users from using such passwords.
New password security tool
Azure AD Password Protection is a banned password system that can be used both in the cloud and on-premises wherever users change their passwords, and it takes advantage of a regularly updated databased of banned passwords.
This database includes a list of more than 500 of the most commonly used passwords, plus over 1 million character substitution variations of those passwords, and Microsoft uses it in the cloud for Microsoft accounts and Azure AD accounts.
Now the option is available to all Azure AD customers (but Azure AD password protection for Windows Server Active Directory requires Azure AD Premium licenses). Premium customers also have the option to supplement the list of the most common passwords with one custom-made to include banned passwords specific to their organisation.
Another tool that is available to all Azure AD customers is Smart Lockout, a system that uses cloud intelligence to lock out bad actors who are trying to guess users’ passwords while, at the same time, allow legitimate users in.
“Smart lockout is always on for all Azure AD customers with default settings that offer the right mix of security and usability, but you can also customize those settings with the right values for your environment,” Simons explains.
“With banned passwords and smart lockout together, Azure AD password protection ensures your users have hard to guess passwords and bad guys don’t get enough guesses to break in.”