These days, guessing weak passwords on important accounts such as Single Sign-On (SSO) often comes down to two basic techniques – brute forcing or password spraying.
Brute forcing tries lots of common passwords against each account until it finds the correct one, but the technique struggles against password systems that impose limits on the number of incorrect tries in a given period.
Password spraying tries to solve this by trying the same common passwords against lots of accounts at a much slower rate, reducing the chances of being locked out or of the attack being noticed.
If you’re a Premium 1 account customer of Microsoft’s Azure AD cloud service or Windows Server Active Directory, the company has just released a preview of a new tool to block this kind of attack.
Called Azure AD Password Protection, the tool prevents users from setting a password from the company’s list of the 500 most common and easily-guessed examples, including around one million of the most frequent character substitutions.
Admins can supplement this with their own list of blocked passwords that might be specific to their organisation (for example utilising a company name or product).
Traditionally, password creation has worked the other way around, allowing people to choose any password they like as long as it was of a certain length and deemed to be complex.
This approach has struggled because what users think is long and complex – passwords like “P@$$w0rd1!” – can turn out to be weak because everyone uses the same guessable variations.
There is also a tendency to re-use the same passwords, which means that one cracked password results in an open sesame on multiple accounts.
For this reason, US standards body NIST’s 2017 password guidance was updated to promote the approach used by Azure AD Password Protection:
It is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords.
The theory is sound, but there are limitations. For a start, is 500 common passwords plus variations enough? In many cases, yes, but even good passwords can become vulnerable if they are compromised during a breach, say.
This might be why Microsoft has also released a second Azure tool, Smart Lockout:
Smart Lockout is our lockout system that uses cloud intelligence to lock out bad actors who are trying to guess your users’ passwords. That intelligence can recognize sign-ins coming from valid users and treats those differently than ones that attackers and other unknown sources.
UPDATE, 26 June 2018: In a separate post, Microsoft has announced a public preview of a setting that will make multi-factor authentication (MFA) the default for Azure AD admin accounts.