避免在組織中使用不當密碼Eliminate bad passwords in your organization

業界領導人告訴您不要在多個地方使用相同的密碼, 讓它變得複雜, 而且不像「Password123」一樣簡單。Industry leaders tell you not to use the same password in multiple places, to make it complex, and to not make it simple like “Password123”. 組織如何保證其使用者遵循最佳做法指導方針?How can organizations guarantee that their users are following best-practice guidance? 他們要如何確保使用者不會使用弱式密碼, 甚至是弱式密碼的變化?How can they make sure users aren't using weak passwords, or even variations on weak passwords?

具有更強式密碼的初始步驟是為您的使用者提供指引。The initial step in having stronger passwords is to provide guidance to your users. 下列連結是目前 Microsoft 中有關本主題的指引:Microsoft's current guidance on this topic can be found at the following link:

Microsoft 密碼指引Microsoft Password Guidance

有很棒的指引很重要, 但是就算知道, 許多使用者仍然會選擇弱式密碼。Having good guidance is important, but even with that we know that many users will still end up choosing weak passwords. Azure AD 密碼保護會偵測並封鎖已知的弱式密碼及其變體, 並選擇性地封鎖貴組織特定的其他弱式詞彙, 藉此保護您的組織。Azure AD Password Protection protects your organization by detecting and blocking known weak passwords and their variants, as well as optionally blocking additional weak terms that are specific to your organization.

如需現行安全性成果的詳細資訊,請參閱 Microsoft 安全性情資報告For more information about current security efforts, see the Microsoft Security Intelligence Report.

全域禁用密碼清單Global banned password list

Azure AD Identity Protection 小組會持續分析 Azure AD 的安全性遙測資料, 尋找經常使用的弱式或遭破解的密碼, 更明確地說, 通常是用來做為弱式密碼基礎的弱式基底詞彙。The Azure AD Identity Protection team constantly analyzes Azure AD security telemetry data looking for commonly used weak or compromised passwords, or more specifically, the weak base terms that often are used as the basis for weak passwords. 找到這類弱式詞彙時, 會將它們新增至全域禁用密碼清單。When such weak terms are found, they are added to the global banned password list. 全域禁用密碼清單的內容並非以任何外部資料源為基礎。The contents of the global banned password list are not based on any external data source. 全域禁用密碼清單完全根據 Azure AD 安全性遙測和分析的持續性結果。The global banned password list is based entirely on the ongoing results of Azure AD security telemetry and analysis.

每當 Azure AD 的任何租使用者中的任何使用者變更或重設新密碼時, 全域禁用密碼清單的目前版本會作為驗證密碼強度時的金鑰輸入。Whenever a new password is changed or reset for any user in any tenant in Azure AD, the current version of the global banned password list is used as the key input when validating the strength of the password. 這項驗證會為所有 Azure AD 客戶帶來更強的密碼。This validation results in much stronger passwords for all Azure AD customers.

注意

網路罪犯也會在其攻擊中使用類似的策略。Cyber-criminals also use similar strategies in their attacks. 因此, Microsoft 不會公開發布此清單的內容。Therefore Microsoft does not publish the contents of this list publicly.

自訂禁用密碼清單Custom banned password list

有些組織可能會想要進一步改善安全性, 方法是在 Microsoft 呼叫自訂禁用密碼清單的全域禁用密碼清單之上新增自己的自訂專案。Some organizations may want to improve security even further by adding their own customizations on top of the global banned password list in what Microsoft calls the custom banned password list. Microsoft 建議加入此清單的條款主要著重于組織特定的詞彙, 例如:Microsoft recommends that terms added to this list are primarily focused on organizational-specific terms such as:

  • 品牌名稱Brand names
  • 產品名稱Product names
  • 位置 (例如, 公司總部)Locations (for example, such as company headquarters)
  • 公司特定的內部詞彙Company-specific internal terms
  • 具有特定公司意義的縮寫。Abbreviations that have specific company meaning.

一旦將詞彙新增至自訂禁用密碼清單, 就會在驗證密碼時, 與全域禁用密碼清單中的條款結合。Once terms are added to the custom banned password list, they will be combined with the terms in the global banned password list when validating passwords.

注意

自訂的禁用密碼清單限制為最多1000個詞彙。The custom banned password list is limited to having a maximum of 1000 terms. 它不是為了封鎖非常大的密碼清單而設計的。It is not designed for blocking extremely large lists of passwords. 為了充分利用自訂禁用密碼清單的優點, Microsoft 建議您先複習並瞭解密碼評估演算法 (請參閱如何評估密碼), 然後再將新的條款新增至自訂禁用清單。In order to fully leverage the benefits of the custom banned password list, Microsoft recommends that you first review and understand the password evaluation algorithm (see How are passwords evaluated) before adding new terms to the custom banned list. 瞭解演算法的運作方式, 可讓您的企業有效率地偵測並封鎖大量弱式密碼及其變體。Understanding how the algorithm works will enable your enterprise to efficiently detect and block large numbers of weak passwords and their variants.

例如: 假設有一個名為 "Contoso" 的客戶, 其以倫敦為基礎, 並使產品名為「Widget」。For example: consider a customer named “Contoso”, that is based in London, and that makes a product named “Widget”. 對於這類客戶而言, 嘗試封鎖這些詞彙的特定變化 (例如) 可能會浪費工作, 也不安全。For such a customer, it would be wasteful as well as less secure to try to block specific variations of these terms such as:

  • "Contoso! 1""Contoso!1"
  • "Contoso@London""Contoso@London"
  • "ContosoWidget""ContosoWidget"
  • "!Contoso"!Contoso"
  • "LondonHQ""LondonHQ"
  • ...等等...etcetera

相反地, 只會封鎖主要的基本術語, 更有效率且更安全:Instead, it is much more efficient and secure to block only the key base terms:

  • Contoso"Contoso"
  • 位於"London"
  • 機械"Widget"

密碼驗證演算法接著會自動封鎖弱式變體和上述的組合。The password validation algorithm will then automatically block weak variants and combinations of the above.

自訂禁用密碼清單和啟用內部部署 Active Directory 整合的能力,都可使用 Azure 入口網站來管理。The custom banned password list and the ability to enable on-premises Active Directory integration is managed using the Azure portal.

在 [驗證方法] 下修改自訂禁用密碼清單

密碼噴灑攻擊和協力廠商遭到入侵的密碼清單Password spray attacks and third-party compromised password lists

其中一個關鍵 Azure AD 密碼保護的優點是協助您防禦密碼噴灑攻擊。One key Azure AD password protection benefit is to help you defend against password spray attacks. 大部分的密碼噴灑攻擊都不會嘗試攻擊任何指定的個別帳戶, 因為這類行為會透過帳戶鎖定或其他方式, 大幅增加偵測的可能性。Most password spray attacks do not attempt to attack any given individual account more than a few times since such behavior greatly increases the likelihood of detection, either via account lockout or other means. 因此, 大部分的密碼噴灑攻擊會依賴針對企業中的每個帳戶只提交少數已知的最弱密碼。The majority of password spray attacks therefore rely on submitting only a small number of the known weakest passwords against each of the accounts in an enterprise. 這項技術可讓攻擊者快速搜尋容易遭到入侵的帳戶, 同時避免可能的偵測閾值。This technique allows the attacker to quickly search for an easily compromised account while at the same time avoiding potential detection thresholds.

Azure AD 密碼保護的設計, 是為了有效率地封鎖所有可能用於密碼噴灑攻擊的已知弱式密碼 (根據 Azure AD 所見的真實世界安全性遙測資料)。Azure AD password protection is designed to efficiently block all known weak passwords that are likely to be used in password spray attacks, based on real-world security telemetry data as seen by Azure AD. Microsoft 意識到協力廠商網站, 列舉了先前公開已知的安全性缺口中已遭盜用的數百萬個密碼。Microsoft is aware of third-party websites that enumerate millions of passwords that have been compromised in previous publicly known security breaches. 協力廠商密碼驗證產品通常是根據這些數百萬個密碼的暴力密碼破解。It is common for third-party password validation products to be based on brute-force comparison against those millions of passwords. Microsoft 認為這種技巧不是改善整體密碼強度的最佳方式, 因為這是密碼噴灑攻擊者所使用的一般策略。Microsoft feels that such techniques are not the best way to improve overall password strength given the typical strategies used by password spray attackers.

注意

Microsoft 全域禁用密碼清單並不是以任何協力廠商資料來源為基礎, 包括遭到入侵的密碼清單。The Microsoft global banned password list is not based whatsoever on any third-party data sources, including compromised password lists.

雖然 Microsoft 全域禁用清單與一些協力廠商大容量清單比較小, 但它的安全性效果是源自于實際密碼噴灑攻擊的真實世界安全性遙測, 再加上 Microsoft密碼驗證演算法會使用智慧型模糊比對技術。Although the Microsoft global banned list is small in comparison to some third-party bulk lists, its security effects are amplified by the fact that it is sourced from real-world security telemetry on actual password spray attacks, plus the fact that the Microsoft password validation algorithm uses smart fuzzy-matching techniques. 最後的結果是, 它會有效率地偵測並封鎖數百萬個最常見的弱式密碼, 使其無法在您的企業中使用。The end result is that it will efficiently detect and block millions of the most common weak passwords from being used in your enterprise. 選擇將組織特定詞彙新增至自訂禁用密碼清單的客戶也可受益于相同的演算法。Customers who choose to add organization-specific terms to the custom banned password list also benefit from the same algorithm.

如需以密碼為基礎的安全性問題的詳細資訊, 請查閱您的 Pa $ $word 並不重要Additional information on password-based security issues may be reviewed at Your Pa$$word doesn't matter.

內部部署混合式案例On-premises hybrid scenarios

保護僅限雲端帳戶有其效用,但許多組織仍會維護包含內部部署 Windows Server Active Directory 的混合式案例。Protecting cloud-only accounts is helpful but many organizations maintain hybrid scenarios including on-premises Windows Server Active Directory. Azure AD 密碼保護的安全性優點也可以透過安裝內部部署代理程式, 延伸到您的 Windows Server Active Directory 環境中。The security benefits of Azure AD password protection may also be extended into your Windows Server Active Directory environment via the installation of on-premises agents. 現在, 在 Active Directory 中變更或重設密碼的使用者和系統管理員, 都必須遵守與僅限雲端使用者相同的密碼原則。Now users and administrators who change or reset passwords in Active Directory are required to comply with the same password policy as cloud-only users.

如何評估密碼How are passwords evaluated

每當使用者變更或重設其密碼時, 就會根據全域和自訂禁用密碼清單中的結合字詞清單 (如果已設定後者), 檢查新密碼的強度和複雜度。Whenever a user changes or resets their password, the new password is checked for strength and complexity by validating it against the combined list of terms from the global and custom banned password lists (if the latter is configured).

即使使用者的密碼包含禁用密碼,如果整體密碼還不夠強,仍然可能接受此密碼。Even if a user’s password contains a banned password, the password may still be accepted if the overall password is strong enough otherwise. 新設定的密碼會經歷下列步驟來評估其整體強度,以判斷應該接受或拒絕該密碼。A newly configured password will go through the following steps to assess its overall strength to determine if it should be accepted or rejected.

步驟 1:正規化Step 1: Normalization

新密碼會先經歷正規化程序。A new password first goes through a normalization process. 這項技術可讓一小部分的禁用密碼對應到較大的一組可能弱式密碼。This technique allows for a small set of banned passwords to be mapped to a much larger set of potentially weak passwords.

正規化有兩個部分。Normalization has two parts. 第一個部分,所有大寫字母會變更為小寫。First, all uppercase letters are changed to lower case. 第二個部,會執行一般字元替代,例如:Second, common character substitutions are performed, for example:

原始字母Original letter 替代的字母Substituted letter
'0''0' 'o''o'
'1''1' 'l''l'
'$''$' 's''s'
'@''@' 'a''a'

範例:假設密碼 "blank" 遭到禁止,而使用者嘗試將其密碼變更為 “Bl@nK”。Example: assume that the password “blank” is banned, and a user tries to change their password to “Bl@nK”. 即使 “Bl@nk” 並未明確遭到禁用,正規化程序會將這個密碼轉換為 “blank”,這禁用密碼。Even though “Bl@nk” is not specifically banned, the normalization process converts this password to “blank”, which is a banned password.

步驟 2:檢查密碼是否被視為禁用Step 2: Check if password is considered banned

模糊比對行為Fuzzy matching behavior

模糊比對在正規化密碼上用來識別是否包含在全域或自訂禁用密碼清單上找到的密碼。Fuzzy matching is used on the normalized password to identify if it contains a password found on either the global or the custom banned password lists. 比對程序是以一 (1) 次比較的編輯差距為基礎。The matching process is based on an edit distance of one (1) comparison.

範例:假設密碼 "abcdef" 遭到禁止,而使用者嘗試將其密碼變更為下列其中一項:Example: assume that the password “abcdef” is banned, and a user tries to change their password to one of the following:

' abcdeg ' (最後一個字元從 ' f ' 變更為 ' g ') ' abcdefg ' ' (g ' 附加至結尾) ' abcde ' (尾端 ' f ' 已從結尾刪除)‘abcdeg’ (last character changed from ‘f’ to ‘g’) ‘abcdefg’ ’(g’ appended to end) ‘abcde’ (trailing ‘f’ was deleted from end)

以上每個密碼並未明確符合禁用密碼 "abcdef"。Each of the above passwords does not specifically match the banned password "abcdef". 不過, 由於每個範例都是在禁用字詞 ' abcdef ' 的1個編輯距離中, 因此它們全都視為符合「abcdef」。However, since each example is within an edit distance of 1 of the banned term ‘abcdef’, they are all considered as a match to “abcdef”.

子字串比對 (在特定詞彙上)Substring matching (on specific terms)

子字串比對在正規化密碼上用來檢查使用者的名字和姓氏以及租用戶名稱 (請注意,在 Active Directory 網域控制站上驗證密碼時不會進行租用戶名稱比對)。Substring matching is used on the normalized password to check for the user’s first and last name as well as the tenant name (note that tenant name matching is not done when validating passwords on an Active Directory domain controller).

範例: 假設我們有一個使用者 Pol, 他們想要將其密碼重設為 "P0l123fb"。Example: assume that we have a user, Pol, who wants to reset their password to “P0l123fb”. 正規化之後, 此密碼會變成 "pol123fb"。After normalization, this password would become “pol123fb”. 子字串比對會發現密碼包含使用者的名字 "Pol"。Substring matching finds that the password contains the user’s first name “Pol”. 雖然 "P0l123fb" 不是特別在禁用密碼清單上, 但符合的子字串會在密碼中找到 "Pol"。Even though “P0l123fb” was not specifically on either banned password list, substring matching found “Pol" in the password. 因此,此密碼會遭到拒絕。Therefore this password would be rejected.

分數計算Score Calculation

下一個步驟是在使用者的正規化新密碼中找出所有禁用密碼執行個體。The next step is to identify all instances of banned passwords in the user's normalized new password. 然後:Then:

  1. 在使用者密碼中找到的每個禁用密碼都會得到一分。Each banned password that is found in a user’s password is given one point.
  2. 每個剩餘的唯一字元會得到一分。Each remaining unique character is given one point.
  3. 密碼必須至少為五 (5) 個點, 才會被接受。A password must be at least five (5) points for it to be accepted.

在後續兩個範例中,我們假設 Contoso 使用 Azure AD 密碼保護,且其自訂清單上有 "contoso"。For the next two examples, let’s assume that Contoso is using Azure AD Password Protection and has “contoso” on their custom list. 我們也假設 “blank” 位於全域清單上。Let’s also assume that “blank” is on the global list.

範例:使用者將其密碼變更為 “C0ntos0Blank12”Example: a user changes their password to “C0ntos0Blank12”

正規化之後,此密碼會變成 “contosoblank12”。After normalization, this password becomes “contosoblank12”. 比對程序發現此密碼包含兩個禁用密碼:contoso 和 blank。The matching process finds that this password contains two banned passwords: contoso and blank. 此密碼接著會被評分:This password is then given a score:

[contoso] + [空白] + [1] + [2] = 4 個點, 因為此密碼低於五個 (5) 點, 將會遭到拒絕。[contoso] + [blank] + [1] + [2] = 4 points Since this password is under five (5) points, it will be rejected.

範例:使用者將其密碼變更為 “ContoS0Bl@nkf9!”。Example: a user changes their password to “ContoS0Bl@nkf9!”.

正規化之後,此密碼會變成 “contosoblankf9!”。After normalization, this password becomes “contosoblankf9!”. 比對程序發現此密碼包含兩個禁用密碼:contoso 和 blank。The matching process finds that this password contains two banned passwords: contoso and blank. 此密碼接著會被評分:This password is then given a score:

[contoso] + [空白] + [f] + [9] + [!] = 5 分, 因為此密碼至少為五 (5) 個點, 所以已接受。[contoso] + [blank] + [f] + [9] + [!] = 5 points Since this password is at least five (5) points, it is accepted.

重要

請注意,根據進行中的安全性分析和研究,禁用密碼演算法及全域清單可能在 Azure 中隨時變更。Please note that the banned password algorithm along with the global list can and do change at any time in Azure based on ongoing security analysis and research. 針對內部部署 DC 代理程式服務, 只有在重新安裝 DC 代理程式軟體後, 更新的演算法才會生效。For the on-premises DC agent service, updated algorithms will only take effect after the DC agent software is re-installed.

授權需求License requirements

使用全域禁用密碼清單的 Azure AD 密碼保護Azure AD password protection with global banned password list 使用自訂禁用密碼清單的 Azure AD 密碼保護Azure AD password protection with custom banned password list
僅限雲端使用者Cloud-only users Azure AD 免費版Azure AD Free Azure AD Premium P1 或 P2Azure AD Premium P1 or P2
從內部部署 Windows Server Active Directory 同步處理的使用者Users synchronized from on-premises Windows Server Active Directory Azure AD Premium P1 或 P2Azure AD Premium P1 or P2 Azure AD Premium P1 或 P2Azure AD Premium P1 or P2

注意

內部部署 Windows Server Active Directory 未同步處理至 Azure Active Directory 的使用者, 也可以根據已同步處理之使用者的現有授權, 提供 Azure AD 密碼保護的優點。On-premises Windows Server Active Directory users that not synchronized to Azure Active Directory also avail the benefits of Azure AD password protection based on existing licensing for synchronized users.

Azure Active Directory 價格網站上可以找到其他授權資訊 (包括成本)。Additional licensing information, including costs, can be found on the Azure Active Directory pricing site.

使用者看到的內容What do users see

當使用者嘗試將密碼重設為會禁用的密碼時,便會看到下列錯誤訊息:When a user attempts to reset a password to something that would be banned, they see the following error message:

不幸的是,您的密碼包含單字、片語或模式,可輕易猜到您的密碼。Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. 請使用不同的密碼再試一次。Please try again with a different password.

後續步驟Next steps