The NEW Azure AD Password Protection Service by Microsoft Azure

This is not the first nor last attempt Microsoft will make to help companies stop easily cracked passwords from being used as end-user passwords. Back in 2016, Microsoft attempted to ban easily hacked passwords on Microsoft Account Service and Azure Active Directory, but none of their other platforms. However, many articles online showed the shortcomings of their password blacklisting services. For example, Password1 is one of the most easily hacked passwords and many times people will change an “S” to a “$” and an ‘O” to a “0” thinking it will create a more secure password. Character substitutions are one of the oldest tricks in the book, yet with Microsoft’s password blacklisting, it still allowed Pa$$w0rd1 as an acceptable password.

Fast forward two years and Microsoft Azure has released Azure AD Password Protection for Windows Server Active Directory. With Azure AD Password Protection, according to their website, there are three paid versions ranging from $1 to $9 per user per month with an annual commitment required. The major draw to the new Azure AD Password Protection Service is the custom banned password list and password blacklisting. There are two components to the password blacklisting. The first component is a global banned password list and the second is the custom password list that a company can customize with line items like their company name, local sports teams, local landmarks, and nearby cities. The ability to have the custom banned password list with Azure AD Password Protection requires a paid subscription.

Limitations to Azure AD Password Protection:

None of Azure AD Password Protection Service’s articles speak about enhancing the password policy beyond password blacklisting. A few topics that we also think are important would be the ability to require all four character sets, requiring a higher character amount than what is currently allowed with Windows Password Complexity for minimum password length, requiring spaces to encourage the use of passphrases, and rejecting passwords with consecutive identical characters.

As stated in the beginning, Microsoft did a poor job with character substitutions in their initial attempt at password blacklisting. All Azure AD Password Protection Service has listed as examples are “o” and “0” or “a” and “@.” Beyond this, we are not sure what additional character substitutions will be checked like “s” and “$” or “E” and “3.”

The custom password dictionary is limited to 1,000 words for Azure AD Password Protection Service. Although the global banned password list is supposed to be very comprehensive, we do not know what passwords are included in the list. Therefore, the custom password dictionary of only 1,000 entries does not seem to be a suitable amount to ensure all commonly used passwords will be prohibited. Especially since they recommend that companies add in industry-specific terms, company name, sports teams, and other words of the like. According to their website, the Azure AD Identity Protection team routinely looks for commonly used passwords and adds them to the global banned password list. This list is not released to the public, therefore companies do not know how secure/insecure this list really is.

Finally, the updates to the custom password dictionary for blacklisting with Azure AD Password Protection Service can take several hours for the list to become active. A specific time amount is not given, therefore a company is unsure what to expect with this time frame.

Bottom Line:

Microsoft has been around for decades; however, they are new to password filtering services. nFront Security has been around since 1997 providing Windows password filters for companies to enhance their password policy by increasing what Microsoft allows in Windows Password Complexity and being able to have a custom multi-million word password blacklist file. Give the nFront Password Filter a try, along with numerous Fortune 100 and 500 companies in over 50 countries, today with a free trial!

Twitter Digg Delicious Stumbleupon Technorati Facebook Email

Comments are closed.