Eliminate bad passwords using Azure Active Directory Password Protection

A lot of security guidance recommends that you don't use the same password in multiple places, to make it complex, and to avoid simple passwords like Password123. You can provide your users with guidance on how to choose passwords, but weak or insecure passwords are often still used. Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to your organization.

With Azure AD Password Protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support your own business and security needs, you can define entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.

You should use additional features like Azure AD Multi-Factor Authentication, not just rely on strong passwords enforced by Azure AD Password Protection. For more information on using multiple layers of security for your sign-in events, see Your Pa$$word doesn't matter.

Important

This conceptual article explains to an administrator how Azure AD Password Protection works. If you're an end user already registered for self-service password reset and need to get back into your account, go to https://aka.ms/sspr.

If your IT team hasn't enabled the ability to reset your own password, reach out to your helpdesk for additional assistance.

Global banned password list

The Azure AD Identity Protection team constantly analyzes Azure AD security telemetry data looking for commonly used weak or compromised passwords. Specifically, the analysis looks for base terms that often are used as the basis for weak passwords. When weak terms are found, they're added to the global banned password list. The contents of the global banned password list aren't based on any external data source, but on the results of Azure AD security telemetry and analysis.

When a password is changed or reset for any user in an Azure AD tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Azure AD customers.

The global banned password list is automatically applied to all users in an Azure AD tenant. There's nothing to enable or configure, and can't be disabled. This global banned password list is applied to users when they change or reset their own password through Azure AD.

Note

Cyber-criminals also use similar strategies in their attacks to identify common weak passwords and variations. To improve security, Microsoft doesn't publish the contents of the global banned password list.

Custom banned password list

Some organizations want to improve security and add their own customizations on top of the global banned password list. To add your own entries, you can use the custom banned password list. Terms added to the custom banned password list should be focused on organizational-specific terms such as the following examples:

  • Brand names
  • Product names
  • Locations, such as company headquarters
  • Company-specific internal terms
  • Abbreviations that have specific company meaning

When terms are added to the custom banned password list, they're combined with the terms in the global banned password list. Password change or reset events are then validated against the combined set of these banned password lists.

Note

The custom banned password list is limited to a maximum of 1000 terms. It's not designed for blocking extremely large lists of passwords.

To fully leverage the benefits of the custom banned password list, first understand how are passwords evaluated before you add terms to the custom banned list. This approach lets you efficiently detect and block large numbers of weak passwords and their variants.

Modify the custom banned password list under Authentication Methods

Let's consider a customer named Contoso. The company is based in London and makes a product named Widget. For this example customer, it would be wasteful and less secure to try to block specific variations of these terms such as the following:

  • "Contoso!1"
  • "Contoso@London"
  • "ContosoWidget"
  • "!Contoso"
  • "LondonHQ"

Instead, it's much more efficient and secure to block only the key base terms, such as the following examples:

  • "Contoso"
  • "London"
  • "Widget"

The password validation algorithm then automatically blocks weak variants and combinations.

To get started with using a custom banned password list, complete the following tutorial:

Password spray attacks and third-party compromised password lists

Azure AD Password Protection helps you defend against password spray attacks. Most password spray attacks don't attempt to attack any given individual account more than a few times. This behavior would increase the likelihood of detection, either via account lockout or other means.

Instead, the majority of password spray attacks submit only a small number of the known weakest passwords against each of the accounts in an enterprise. This technique allows the attacker to quickly search for an easily compromised account and avoid potential detection thresholds.

Azure AD Password Protection efficiently blocks all known weak passwords likely to be used in password spray attacks. This protection is based on real-world security telemetry data from Azure AD to build the global banned password list.

There are some third-party websites that enumerate millions of passwords that have been compromised in previous publicly known security breaches. It's common for third-party password validation products to be based on brute-force comparison against those millions of passwords. However, those techniques aren't the best way to improve overall password strength given the typical strategies used by password spray attackers.

Note

The global banned password list isn't based on any third-party data sources, including compromised password lists.

Although the global banned list is small in comparison to some third-party bulk lists, it's sourced from real-world security telemetry on actual password spray attacks. This approach improves the overall security and effectiveness, and the password validation algorithm also uses smart fuzzy-matching techniques. As a result, Azure AD Password Protection efficiently detects and blocks millions of the most common weak passwords from being used in your enterprise.

On-premises hybrid scenarios

Many organizations have a hybrid identity model that includes on-premises Active Directory Domain Services (AD DS) environments. To extend the security benefits of Azure AD Password Protection into your AD DS environment, you can install components on your on-premises servers. These agents require password change events in the on-premises AD DS environment to comply with the same password policy as in Azure AD.

For more information, see Enforce Azure AD Password Protection for AD DS.

How are passwords evaluated

When a user changes or resets their password, the new password is checked for strength and complexity by validating it against the combined list of terms from the global and custom banned password lists.

Even if a user's password contains a banned password, the password may be accepted if the overall password is otherwise strong enough. A newly configured password goes through the following steps to assess its overall strength to determine if it should be accepted or rejected:

Step 1: Normalization

A new password first goes through a normalization process. This technique allows for a small set of banned passwords to be mapped to a much larger set of potentially weak passwords.

Normalization has the following two parts:

  • All uppercase letters are changed to lower case.

  • Then, common character substitutions are performed, such as in the following example:

    Original letter Substituted letter
    0 o
    1 l
    $ s
    @ a

Consider the following example:

  • The password "blank" is banned.
  • A user tries to change their password to "Bl@nK".
  • Even though "Bl@nk" isn't banned, the normalization process converts this password to "blank".
  • This password would be rejected.

Step 2: Check if password is considered banned

A password is then examined for other matching behavior, and a score is generated. This final score determines if the password change request is accepted or rejected.

Fuzzy matching behavior

Fuzzy matching is used on the normalized password to identify if it contains a password found on either the global or the custom banned password lists. The matching process is based on an edit distance of one (1) comparison.

Consider the following example:

  • The password "abcdef" is banned.

  • A user tries to change their password to one of the following:

    • 'abcdeg' - last character changed from 'f' to 'g'
    • 'abcdefg' - 'g' appended to end
    • 'abcde' - trailing 'f' was deleted from end
  • Each of the above passwords doesn't specifically match the banned password "abcdef".

    However, since each example is within an edit distance of 1 of the banned term 'abcdef', they're all considered as a match to "abcdef".

  • These passwords would be rejected.

Substring matching (on specific terms)

Substring matching is used on the normalized password to check for the user's first and last name as well as the tenant name. Tenant name matching isn't done when validating passwords on an AD DS domain controller for on-premises hybrid scenarios.

Important

Substring matching is only enforced for names, and other terms, that are at least four characters long.

Consider the following example:

  • A user named Poll who wants to reset their password to "p0LL23fb".
  • After normalization, this password would become "poll23fb".
  • Substring matching finds that the password contains the user's first name "Poll".
  • Even though "poll23fb" wasn't specifically on either banned password list, substring matching found "Poll" in the password.
  • This password would be rejected.

Score Calculation

The next step is to identify all instances of banned passwords in the user's normalized new password. Points are assigned based on the following criteria:

  1. Each banned password that's found in a user's password is given one point.
  2. Each remaining unique character is given one point.
  3. A password must be at least five (5) points to be accepted.

For the next two example scenarios, Contoso is using Azure AD Password Protection and has "contoso" on their custom banned password list. Let's also assume that "blank" is on the global list.

In the following example scenario, a user changes their password to "C0ntos0Blank12":

  • After normalization, this password becomes "contosoblank12".

  • The matching process finds that this password contains two banned passwords: "contoso" and "blank".

  • This password is then given the following score:

    [contoso] + [blank] + [1] + [2] = 4 points

  • As this password is under five (5) points, it's rejected.

Let's look a slightly different example to show how additional complexity in a password can build the required number of points to be accepted. In the following example scenario, a user changes their password to "ContoS0Bl@nkf9!":

  • After normalization, this password becomes "contosoblankf9!".

  • The matching process finds that this password contains two banned passwords: "contoso" and "blank".

  • This password is then given the following score:

    [contoso] + [blank] + [f] + [9] + [!] = 5 points

  • As this password is at least five (5) points, it's accepted.

Important

The banned password algorithm, along with the global banned password list, can and do change at any time in Azure based on ongoing security analysis and research.

For the on-premises DC agent service in hybrid scenarios, updated algorithms only take effect after the DC agent software is upgraded.

What do users see

When a user attempts to reset a password to something that would be banned, the following error message is displayed:

"Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password."

License requirements

Users Azure AD Password Protection with global banned password list Azure AD Password Protection with custom banned password list
Cloud-only users Azure AD Free Azure AD Premium P1 or P2
Users synchronized from on-premises AD DS Azure AD Premium P1 or P2 Azure AD Premium P1 or P2

Note

On-premises AD DS users that aren't synchronized to Azure AD also benefit from Azure AD Password Protection based on existing licensing for synchronized users.

Additional licensing information, including costs, can be found on the Azure Active Directory pricing site.

Next steps

To get started with using a custom banned password list, complete the following tutorial:

You can also then enable on-premises Azure AD Password Protection.