Why all the fuss over passwords?!?! Do Passwords even matter anymore?!?!
Rabon Bussey @ Produhktiv
Probably not when you think about it from a bad actor point of view, but that doesn’t mean we should stop using them …at least not yet. Let’s look at the landscape a bit to see if we can gain a better understanding of what can happen and what we can do about it.
To better understand the subject of passwords, let’s look at it from 2 very different points of view, the admin and the user. Guessing neither has a kind word to say about the other on this topic.
Okay, from the admin’s point of view. I need to protect the data, and that starts with making sure users authenticate to gain access to everything. If I follow best practices, its some form of a complex password, it expires every 90 days or sooner; it needs to have special character(s), and numbers, it needs to be at least a certain length, and you can’t re-use a recent password. Yep, that should do it, right. Pretty happy with that policy! Let’s see someone beat this!!
Now from the user point of view, oh no (I have heard more colorful language here, but let’s keep it G rated for now), I have to reset my password!! Why?!?! Okay, so what are those horrible rules again…it lasts 90 days, has to be 8 characters long, needs an ! mark or something and can’t re-use what I did last time…now where is that list of passwords I keep under the keyboard…ah, I got it, so this time last year, I used Spring2019! So now, let’s use Spring2020! Nobody will ever guess that one!! I am once again a genius!!
Okay, so I said 2 points of view, but there is one other person we need to consider. The bad actor (queue your favorite villain music). Does he or she care about either one of those things from their point of view or the policy for that matter? Not really. Okay, so if you use Spring2020! you may get a thank you phish email for that effort (maybe he can get your social security number and date of birth too). That person can buy a list of compromised accounts, spray to land your login info, or phish for your credentials, and then policies may not matter. This is the point in the conversation where I would probably talk to you about Multi-Factor Authentication(MFA), biometrics, FIDO2, and pins, but that will come a little later.
There are several ways a bad actor can compromise your security, and we will focus on the top three:
- Credential Stuffing – using stolen identity information to attempt to login.
- Phishing – emails that are asking you to update your information or telling you that you won a prize. Both get you to give up your login and password info.
- Spray Attacks – use a list of know identities and try to login using a common password often found on a list.
Did you know that a standard 8-character password can be guessed in less than a day? That is considering the 96 possible character combinations as well, which math tells us is 7,213,895,789,838,340 permutations. That’s a lot of guesses, and still, you can have it in less than a day. Maybe this explains why its easier to phish or try to spray for access than to use some sort of force.
So, what can we do, or what should we do to help here?
I am planning to show you some of the features that Microsoft offers that can potentially help you with your password policies and more.
This is the first article, I will cover Password Protection, and Attack Simulator. I will follow this article with a look at:
- MFA and Conditional Access
- Biometrics including Windows Hello! and FIDO2 key
So now, let’s look at some ways we may be able to make this a little tougher on the bad actors by removing those weak passwords.
As a first step, if you are using Azure AD, I would suggest using Password protection, enabling a custom banned password list that is tailored to your org and trying a few spray attacks on your users. This can help you to see your password situation. It’s essential to have a baseline.
Password Protection, at a minimum, can help by preventing users from using common passwords, which is a start. Did you realize that Microsoft sees millions of usernames and password attacks every day? Did you know that they use the knowledge gained from these attacks to improve the security in Office 365 and, in turn, your security posture?
Let’s look at what all you can do with Password Protection by exploring some of the features. The features we will focus on are:
- Custom Smart Lockout
- Global banned password
- Custom banned passwords
- Enabling Password Protection for Domain Controller
- Mode – Enforced or Audit mode
- User Experience
Smart Lockout helps to lock your account when bad actors attempt to login using brute force or spray attacks. The default lockout is for 60 seconds after 10 attempts. Smart Lockout tracks the last 3 passwords attempted, and if those are re-used, they don’t move the counter. It also tracks locations of the login attempts. This helps to lock out bad actors while allowing the actual user to continue to login.
From Microsoft’s doc page:
When Smart Lockout locks a user account, we try our best not to lockout the genuine user. The lockout service attempts to ensure that bad actors can’t gain access to an actual user account.
- Each Azure Active Directory data center tracks lockout independently. A user will have (threshold_limit * datacenter_count) number of attempts, if the user hits each data center.
- Smart Lockout uses familiar location vs. unfamiliar location to differentiate between a bad actor and a genuine user. Strange and familiar locations will both have separate lockout counters.
If the account continues to get wrong password attempts, the logout period will increase.
Smart Lockout can be applied to on-premise by applying a policy.
Global banned password list
Microsoft constantly analyzes Azure AD security telemetry data looking for commonly used weak or compromised passwords. They are able to find the most often are used weak passwords. When those new weak passwords are found, they are added to the global banned password list. It’s important to know that the global banned password list is not based on any external data source. Microsoft bases the global banned password list entirely on the ongoing results of Azure AD security telemetry and analysis.
When a password is changed or reset for a user in any tenant in Azure AD, the current version of the global banned password list is used when validating the strength of the password. This validation results in much stronger passwords for the user.
It’s important to note that bad actors use similar strategies in their attacks. For this reason, Microsoft does not publish the contents of this list publicly.
Why is this important? Glad you asked! Most attackers are working from a similar list, so they try the same passwords and often share what is working. Why give them anymore hints at how to beat your security?
I was amazed when I recently saw a list of the top passwords. Here are the top 10 Microsoft was seeing in guessing attacks (July 2019) on their system:
Really!?!? Those are the passwords?? Why are they using those?? That seems crazy to me!! If they only used the password policy that we discussed above, none of these would have even worked. I often find myself getting into trouble when I apply my logic to other people’s thinking!! Well, they use them, quite frankly, because they have been working!! I am just struggling to even believe that, but that’s what makes this even more insightful. We want to believe everyone is doing the right thing, but the truth may tell a different story.
Let’s turn on the Custom banned password list. In the example below, I add Contoso and Produhktiv. It’s a great idea to take away some additional guessable targets that might not be in the broader password list like your company name, a product name, a local sports team name, your city, or phone number…you get the idea. We have the ability to tailor the password list to suit our needs, and we should do so.
Configure custom banned passwords
Let’s enable the custom banned password list and add some entries. You can add additional entries to the custom banned password list at any time.
To enable the custom banned password list and add entries to it, complete the following steps:
- Sign in to the Azure portal using an account with global administrator permissions.
- Search for and select Azure Active Directory, then choose Security from the menu on the left-hand side.
- Under the Manage menu header, select Authentication methods,
- then Password protection.
- Set the option to Enforce custom list to Yes.
- Add strings to the Custom banned password list, one string per line. The following considerations and limitations apply to the custom banned password list:
- The custom banned password list can contain up to 1000 terms.
- The custom banned password list is case-insensitive.
- The custom banned password list considers common character substitution, such as “o” and “0”, or “a” and “@.”
- The minimum string length is four characters, and the maximum is 16 characters.
Okay, so I love that it takes a basic password in the ban list and applies some logic. Explains why I don’t need a bunch of combinations of the same word or phrase!
You can specify your own custom passwords to ban and should, as shown in the following example. I would encourage you to explore what someone might think about when they think about your organization. Is there a product name, a city, an event, or maybe even a sports team that comes to mind when you think about your company? If so, it probably makes sense to add those to the custom list.
- Leave the option to Enable password protection on Windows Server Active Directory to No.
Enabling password protection should be considered for domain controllers so users can have the same protection you have in Office 365.
- To enable the custom banned passwords and your entries, select Save.
It may take several hours for updates to the custom banned password list to be applied.
For a hybrid environment, you can also deploy Azure AD password protection to an on-premises environment. The same global and custom banned password lists are used for both cloud and on-prem password change requests.
Test custom banned password list
To see the custom banned password list in action, try to change the password to a variation of one that you added in the previous section. When Azure AD tries to process the password change, the password is matched against an entry in the custom banned password list. An error is then displayed to the user.
Login to portal.office.com, in the upper right-hand corner, you should see a picture of the user you are currently logged in as. Click on the picture and select My account.
Click on Security and Privacy -> Password and then attempt to change the password.
If you use a password that is in the known list, you get a message like the one below. The password I attempted to use was Winter2020!
If you use a password that is in the custom list, you get a message like the one below. The password I attempted to use was Contoso01!
By leveraging Password Protection and controlled password attacks on your user base, you can begin to improve your user passwords selection. While we realize that passwords aren’t, by any means enough, it gives us a place to begin to build strength in our security.
If you are interested in how you can use Attack Simulator’s Brute Force option to test your existing user’s password strength, checkout my article here.
I hope you can see a path to improve the passwords your organization is using by leveraging the tools we explored in this article.