I'm not sure if I get something wrong, but I think #Microsoft#Entra ID #Password Protection is complete rubbish. E.g. when ban weak passwords with the ominous 5 points rule the results seem to be completely arbitrary.
Microsoft speaks of including commonly used weak or compromised passwords in their Global banned password list. But the list isn't based on any external data source, so leaked passwords not leaked by Microsoft are not included 🤡.
This leads to:
Known leaked passwords are accepted. Location name plus year is accepted. Dictionary word plus year is accepted!!!
Not sure if this applies only to German dictionary words.
It gets even worse. Reading the documentation, I found "Characters not allowed: Unicode characters" WTF
Coming back to the weird point system. A banned password is not really banned, it gives you "only" 1 point (and you need five).
This leads to the question how many points do none-banned words give?
If you think it can't get worse, you're wrong! It looks like each character of a none-banned word gives one point. Meaning "password1234" is an accepted password. (1 point for password and 4 for each digit)
Or a real life example: The #SolarWInds#SupplyChain attach which affected Microsoft, US government agency and countless other organizations world wide, was cause by a weak FTP server password.
Namely "solarwinds123", which would be accepted by #Entra ID #Password Protection (1 point each for "solar" and "wind", 3 points for the numbers. If "solarwinds" would be on the custom banned list, "solarwind1234" would have been enough.
And you can't do anything against it.
I actually hope that the documentation is somewhat wrong and that "123" is not 3 points but 1 as it are consecutive numbers. But this would make it only marginal better (2023
I feel like the easiest "fix", would be to up the minimum password lengths to 20+ characters, and start encouraging people to use multiple random dictionary words to male gibberish phrases, along with a special character and number and upper case. And of course, encourage UTF8 characters not just ascii.
Maybe use a secure open source encrypted password manager you keep the data files on your own devices (and use a better password for that).
I'm not an expert in infosec, just a regular software dev - but from what I do understand, that would be much better than the crap we have now.
That would seem more sensible, if we're revising standards. Swap a 'password' for longer pass phrases.
@realn2s
I do it a few times a week. It's... Well, on mobile I often use the clipboard feature in my password manager to get them where I need them. The typing happens more when I need to type them into something else. But its not so bad even on mobile so long as your special characters get put between words and theyre ones easily accessible on your mobile keyboard.
Something like 7792eartH%wasH%ladY is pretty easy to type on a phone keyboard, not that hard to remember, and hard to brute force or get from a dictionary of common passwords. Grab words from more than one dictionary in different languages and it would be even better. Instead of a predictable length it could also just be 4-6 random words of any length (minimum 20 chars, but maybe more than 30).
The password on my password manager DB is much longer, and also randomly generated. That one I just practiced until I memorized it. Lol
(But its easier to memorize the random list of words, numbers, and the 'rules' of the special characters and casing you used, than to memorize that many purely random characters. Lol)
@Hawkwinter
😅
Funny enough i give it easier to memorise a randomly generated password (with practice) than to think of a good password/passphrase and memorize (and type that correctly)
E.g. coming from association's to a password like CorrectHorseBatteryStaple for me leads to the problem that there are so many associations. Was it 'correct' or 'right', 'pony' or 'horse', 'stapler' or 'puncher'?
I give it easier to remember correctly if i get the password first (e.g. #Diceware) and then create/find the association.
But there is a second problem for me with passphrases. I hardly ever can enter them correctly on mobile. Fast fingering stuff and only seeing the last typed character die a fraction of a second doesn't play well for me
And the Custom banned password list of #Microsoft#Entra ID #Password Protection just continues the joke.
First, it can only contain 1000 entries. And yes, I really don't want to manage a big custom list.
And it gets even worse. The list is intended to contain company specific banned words like brand or product names, company-specific internal terms as well as abbreviations. Entries must be at least 4 characters.
WTF, half the companies I worked for had 3 letter names. And there are many other BWM, KIA, SAP, IBM, GM, BBC, NBA, NFL, UPS, DHL, ...
And don't get me started on acronyms. #TLA (Three-Letter-Acronym) is a term for a reason.
This means, taking my current company as an example, that SMA12 would be an accepted password (if it would be for the length) because 'SMA' 3 points + '12' 2 points is 5 points).
To reach the necessary length you could simply combine it. E.g. 'SMASolar1' would be an accepted password even if 'Solar' was a banned word.
And I CAN'T do ANYTHING!!!
Or at least not anything sensible. If I start to put combinations of 'SMA*' in the custom banned pw list, I'm back at an inadequate big list I have to manage myself 🤮.
Call for #Help: I would be very happy if someone can show me that I'm wrong. The state of Microsoft Entra ID Password Protection is a MUCH bigger pain than that I would have been wrong 😜.
@realn2s Wow, what a joke. 1000 entries? Just by scraping the website and using common tools I get a longer list... 🤦♀️ And if I start to think about bigger publicly available lists, I am in the millions immediately.
Sadly, I cannot test this behavior myself, but I will ask a friend of checking it. Will get back to you.
@jesterchen
Thanks for asking your friend and for the link.
Do they use the mechanisms described in the article or does your friend use another tool as well?
If they know another tool i would be very happy to learn about it 🙃
WHY are passwords part of the security telemetry data?
The only case where I see this as ok, would be in a honeypot.
And what kind of data would be in the security telemetry data? Usually it's failed attempts, so you risk overestimating passwords attacks which fail (anyway). Again, this would only be OK with honeypots.
But if you are getting your data solely from honeypots, I fear you're getting a pre-selected type of data. Namely opportunistic, random attacks not targeted attacks.
While I think it's valuable to protect against these kind ob attacks, I really would like passwords to withstand even targeted attacks, even from the inside.
E.g when the attackers are in the Lateral Movement or Privilege Escalation. Especially if the attackers can start to crack hashes.
For this Microsoft Entra ID Password Protection seems completely useless there.
To check if a password was part of a breach https://haveibeenpwned.com/Passwords
(I hesitate to enter real current passwords there but there is also an API which ensures the secrecy of the password)
@realn2s Thanks for that very last part: some "bogus" website asks me to enter my password to check, if my password is known. The only valid answer should be: "It's now leaked, change it."
But I didn't know about the API. I'll have a look into that one. Thanks.
@jesterchen
I understand your concern. Even if https://haveibeenpwned.com/ is a quite established site i don't like entering a password where it isn't used for authorisation
The API is AFAIR that you calculate a hall of the password you'd like to check, and send the first k bytes of the hash to the API. The API returns all the matching (complete) hashes
They recommend to not mandate regular password changes (good) BUT they check the password against known bad passwords ONLY when changing it!
So to detect weak passwords I have to enforce a password change which is (rightfully) not recommended 🤡
You could simply do this on entry. Every time (or once a day) the user enters the password it is checked if it isn't well known and complies to the current rules.
BUT while I'm not sure if #Microsoft enforces MFA they enforce the weak password rules.
And a recent event caused me to reevaluate my assumption on how well know #2FA/MFA really is:
I gave #cybersecurity talk to non-IT people (still technical so) and closed it with a set of recommendation. One was to enable Second Factor Authentication wherever possible. Which lead to the question from one participant "What is Second Factor Authentication"
That was quite a 😵 moment. I had the wrong assumptions. How can I assume that MFA reduces a risk if many people don't know about it.
@realn2s
Just this week I had a similar experience, but with seasoned developers.
The company is coding a software for us. One requirement is MFA login, which is standard for all internal and external facing applications.
They invited me for a meeting to clarify some open questions on MFA.
Turned out, they had no clue how it works and where to start. 🙄
Side note, the PDF contains no (visible) version information or date :-(
Please, if you publish guidance, especially if you are an influential company, include a date in your documents. I treat a guidance form 2016 differently than a guidance from 2023
Back to the recommendations. Most of the are solid but some stick out
Maintain an 8-character minimum
That seem awfully short. #NIST states "Longer is better", the #HPI recomend 15+ characters and, wait for it Microsoft themself recommends 12 or better 14+ characters.
Ban common passwords, to keep the most vulnerable passwords out of your system.
The NIST recommendation check against "commonly used and compromised passwords" considerably extends this!
Microsoft at other places recommends "Not a word that can be found in a dictionary or the name of a person, character, product, or organization."
Educate your users not to re-use their password for non-work-related purposes.
Work related reuse is OK????
I would love to know if #Microsoft internally really follows these password rule. Or if they enforce a more strict set. If anyone knows about this, please let me know (but don't if this would gt you fired)
@realn2s I agree about a visible date. The web page says May 2016 though and I don't see any references obviously more recent than March 2016, which certainly says something. The earliest copy in the Wayback Machine is from early 2017. But most people aren't going to dig that deep.
Do check passwords against dictionary word including context specific term (like brand names) as well as known password. And disallow them.
I would love this check not only when the password ich changed, but also regularly on login.
Don't limit the length of the password (for technical reasons you probably must, NIST recommends at least 64 characters)
Don't limit the characters which can be used. Every character which is printable should be valid. Allow blanks or punctation. Allow Unicode (don't just allow letter or numbers or ...)
Add comment