避免在組織中使用不當密碼Eliminate bad passwords in your organization

業界領導者指示您不應在多處使用相同的密碼,且應使用複雜的密碼,而不要使用 Password123 這種簡單的密碼。Industry leaders tell you not to use the same password in multiple places, to make it complex, and to not make it simple like Password123. 組織要如何確保使用者會遵循指引?How can organizations guarantee that their users are following guidance? 他們要如何確定使用者不會使用常見的密碼或已知包含在近期資料外洩中的密碼?How can they make sure users aren't using common passwords or passwords that are known to be included in recent data breaches?

全域禁用密碼清單Global banned password list

Microsoft 一直努力在網路罪犯發生前加以防範。Microsoft is always working to stay one step ahead of cyber-criminals. 因此,Azure AD Identity Protection 小組會持續尋找常用和遭入侵的密碼。Therefore the Azure AD Identity Protection team continually look for commonly used and compromised passwords. 然後,他們會在所謂的全域禁用密碼清單中封鎖這些會被視為太常見的密碼。They then block those passwords that are deemed too common in what is called the global banned password list. 網路罪犯也會在其攻擊中使用類似的策略,因此 Microsoft 不會公開發佈此清單的內容。Cyber-criminals also use similar strategies in their attacks, therefore Microsoft does not publish the contents of this list publicly. 這些易受攻擊的密碼會在對 Microsoft 的客戶形成實際的威脅之前就遭到封鎖。These vulnerable passwords are blocked before they become a real threat to Microsoft's customers. 如需現行安全性成果的詳細資訊,請參閱 Microsoft 安全性情資報告For more information about current security efforts, see the Microsoft Security Intelligence Report.

自訂禁用密碼清單Custom banned password list

有些組織可能會想要在全域禁用密碼清單之上,在 Microsoft 所謂的自訂禁用密碼清單中加上其本身的自訂,以進一步提高安全性。Some organizations may want to take security one step further by adding their own customizations on top of the global banned password list in what Microsoft calls the custom banned password list. 企業客戶 (如 Contoso) 可再選擇封鎖其品牌名稱、公司特定詞彙或其他項目的變異形式。Enterprise customers like Contoso could then choose to block variants of their brand names, company-specific terms, or other items.

自訂禁用密碼清單和啟用內部部署 Active Directory 整合的能力,都可使用 Azure 入口網站來管理。The custom banned password list and the ability to enable on-premises Active Directory integration is managed using the Azure portal.

修改自訂遭到禁用的密碼清單,在驗證方法

內部部署混合式案例On-premises hybrid scenarios

保護僅限雲端帳戶有其效用,但許多組織仍會維護包含內部部署 Windows Server Active Directory 的混合式案例。Protecting cloud-only accounts is helpful but many organizations maintain hybrid scenarios including on-premises Windows Server Active Directory. 可以安裝 Windows Server Active Directory 代理程式在內部以擴充現有的基礎結構的遭到禁用的密碼清單的 Azure AD 密碼保護。It is possible to install Azure AD password protection for Windows Server Active Directory agents on-premises to extend the banned password lists to your existing infrastructure. 現在,在內部部署變更、設定或重設密碼的使用者和系統管理員,都必須遵循與僅限雲端使用者相同的密碼原則。Now users and administrators who change, set, or reset passwords on-premises are required to comply with the same password policy as cloud-only users.

如何評估密碼How are passwords evaluated

每當使用者變更或重設其密碼時,系統會根據全域和自訂禁用密碼清單 (如果已設定後者) 驗證該密碼,以檢查新密碼的強度與複雜度。Whenever a user changes or resets their password, the new password is checked for strength and complexity by validating it against both the global and the custom banned password list (if the latter is configured).

即使使用者的密碼包含禁用密碼,如果整體密碼還不夠強,仍然可能接受此密碼。Even if a user’s password contains a banned password, the password may still be accepted if the overall password is strong enough otherwise. 新設定的密碼會經歷下列步驟來評估其整體強度,以判斷應該接受或拒絕該密碼。A newly configured password will go through the following steps to assess its overall strength to determine if it should be accepted or rejected.

步驟 1:正規化Step 1: Normalization

新密碼會先經歷正規化程序。A new password first goes through a normalization process. 這可讓一小組禁用密碼對應至更大一組潛在的弱式密碼。This allows for a small set of banned passwords to be mapped to a much larger set of potentially weak passwords.

正規化有兩個部分。Normalization has two parts. 第一個部分,所有大寫字母會變更為小寫。First, all uppercase letters are changed to lower case. 第二個部,會執行一般字元替代,例如:Second, common character substitutions are performed, for example:

原始字母Original letter 替代的字母Substituted letter
'0''0' 'o''o'
'1''1' 'l''l'
'$''$' 's''s'
'@''@' 'a''a'

範例:假設密碼 "blank" 遭到禁止,而使用者嘗試將其密碼變更為 “Bl@nK”。Example: assume that the password “blank” is banned, and a user tries to change their password to “Bl@nK”. 即使 “Bl@nk” 並未明確遭到禁用,正規化程序會將這個密碼轉換為 “blank”,這禁用密碼。Even though “Bl@nk” is not specifically banned, the normalization process converts this password to “blank”, which is a banned password.

步驟 2:檢查密碼是否被視為禁用Step 2: Check if password is considered banned

模糊比對行為Fuzzy matching behavior

模糊比對在正規化密碼上用來識別是否包含在全域或自訂禁用密碼清單上找到的密碼。Fuzzy matching is used on the normalized password to identify if it contains a password found on either the global or the custom banned password lists. 比對程序是以一 (1) 次比較的編輯差距為基礎。The matching process is based on an edit distance of one (1) comparison.

範例:假設密碼 "abcdef" 遭到禁止,而使用者嘗試將其密碼變更為下列其中一項:Example: assume that the password “abcdef” is banned, and a user tries to change their password to one of the following:

‘abcdeg’    (最後一個字元從 ‘f’ 變更為 ‘g’) ‘abcdefg’   ’(g’ 附加至結尾) ‘abcde’     (尾端 ‘f’ 已從結尾刪除)‘abcdeg’    (last character changed from ‘f’ to ‘g’) ‘abcdefg’   ’(g’ appended to end) ‘abcde’     (trailing ‘f’ was deleted from end)

以上每個密碼並未明確符合禁用密碼 "abcdef"。Each of the above passwords does not specifically match the banned password "abcdef". 不過,由於每個範例是在禁用語彙基元 'abcdef' 的編輯差距 1 內,所以全都會被視為與 "abcdef" 相符。However, since each example is within an edit distance of 1 of the banned token ‘abcdef’, they are all considered as a match to “abcdef”.

子字串比對 (在特定詞彙上)Substring matching (on specific terms)

子字串比對在正規化密碼上用來檢查使用者的名字和姓氏以及租用戶名稱 (請注意,在 Active Directory 網域控制站上驗證密碼時不會進行租用戶名稱比對)。Substring matching is used on the normalized password to check for the user’s first and last name as well as the tenant name (note that tenant name matching is not done when validating passwords on an Active Directory domain controller).

範例: 假設我們有使用者、 Pol、 想要重設其密碼,才能"P0l123fb 」。Example: assume that we have a user, Pol, who wants to reset their password to “P0l123fb”. 正規化後,此密碼會變成 「 pol123fb"。After normalization, this password would become “pol123fb”. 子字串比對尋找密碼包含使用者的名字"Pol 」。Substring matching finds that the password contains the user’s first name “Pol”. 即使 「 P0l123fb"不是特別在任一個的禁用的密碼清單上,子字串中找到符合"Pol 」 密碼。Even though “P0l123fb” was not specifically on either banned password list, substring matching found “Pol" in the password. 因此,此密碼會遭到拒絕。Therefore this password would be rejected.

分數計算Score Calculation

下一個步驟是在使用者的正規化新密碼中找出所有禁用密碼執行個體。The next step is to identify all instances of banned passwords in the user's normalized new password. 然後:Then:

  1. 在使用者密碼中找到的每個禁用密碼都會得到一分。Each banned password that is found in a user’s password is given one point.
  2. 每個剩餘的唯一字元會得到一分。Each remaining unique character is given one point.
  3. 密碼必須至少 5 分,才能獲得接受。A password must be at least 5 points for it to be accepted.

在後續兩個範例中,我們假設 Contoso 使用 Azure AD 密碼保護,且其自訂清單上有 "contoso"。For the next two examples, let’s assume that Contoso is using Azure AD Password Protection and has “contoso” on their custom list. 我們也假設 “blank” 位於全域清單上。Let’s also assume that “blank” is on the global list.

範例:使用者將其密碼變更為 “C0ntos0Blank12”Example: a user changes their password to “C0ntos0Blank12”

正規化之後,此密碼會變成 “contosoblank12”。After normalization, this password becomes “contosoblank12”. 比對程序發現此密碼包含兩個禁用密碼:contoso 和 blank。The matching process finds that this password contains two banned passwords: contoso and blank. 此密碼接著會被評分:This password is then given a score:

[contoso] + [空白] + [1] + [2] = 4 個點因為此密碼是在 5 點,它將會遭到拒絕。[contoso] + [blank] + [1] + [2] = 4 points Since this password is under 5 points, it will be rejected.

範例:使用者將其密碼變更為 “ContoS0Bl@nkf9!”。Example: a user changes their password to “ContoS0Bl@nkf9!”.

正規化之後,此密碼會變成 “contosoblankf9!”。After normalization, this password becomes “contosoblankf9!”. 比對程序發現此密碼包含兩個禁用密碼:contoso 和 blank。The matching process finds that this password contains two banned passwords: contoso and blank. 此密碼接著會被評分:This password is then given a score:

[contoso] + [blank] + [f] + [9] + [!] = 5 分,因為此密碼至少 5 分,所以獲得接受。[contoso] + [blank] + [f] + [9] + [!] = 5 points Since this password is at least 5 points, it is accepted.

重要

請注意,根據進行中的安全性分析和研究,禁用密碼演算法及全域清單可能在 Azure 中隨時變更。Please note that the banned password algorithm along with the global list can and do change at any time in Azure based on ongoing security analysis and research. 為內部部署 DC 代理程式服務 中,更新的演算法才會生效的 DC 代理程式軟體後重新安裝。For the on-premises DC agent service, updated algorithms will only take effect after the DC agent software is re-installed.

授權需求License requirements

使用全域禁用密碼清單的 Azure AD 密碼保護Azure AD password protection with global banned password list 使用自訂禁用密碼清單的 Azure AD 密碼保護Azure AD password protection with custom banned password list
僅限雲端使用者Cloud-only users Azure AD FreeAzure AD Free Azure AD Premium P1 或 P2Azure AD Premium P1 or P2
從內部部署 Windows Server Active Directory 同步處理的使用者Users synchronized from on-premises Windows Server Active Directory Azure AD Premium P1 或 P2Azure AD Premium P1 or P2 Azure AD Premium P1 或 P2Azure AD Premium P1 or P2

注意

未同步處理至 Azure Active Directory 的內部部署 Windows Server Active Directory 使用者也會使用根據現有的授權,如同步處理的使用者的 Azure AD 密碼保護的優點。On-premises Windows Server Active Directory users that not synchronized to Azure Active Directory also avail the benefits of Azure AD password protection based on existing licensing for synchronized users.

Azure Active Directory 價格網站上可以找到其他授權資訊 (包括成本)。Additional licensing information, including costs, can be found on the Azure Active Directory pricing site.

使用者看到的內容What do users see

當使用者嘗試將密碼重設為會禁用的密碼時,便會看到下列錯誤訊息:When a user attempts to reset a password to something that would be banned, they see the following error message:

不幸的是,您的密碼包含單字、片語或模式,可輕易猜到您的密碼。Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. 請使用不同的密碼再試一次。Please try again with a different password.

後續步驟Next steps