Azure AD password protection

A Tale of Two Password Protection Approaches

Static Vs. Dynamic

Hardly a day goes by without news of passwords being exposed in a third-party data breach. Once leaked, these credentials are easily available to other hackers via the Dark Web and, thanks to the rampant problem of password reuse, there are a variety of effective attack methods that allow hackers to obtain access to additional organizations’ systems and accounts.  

In this environment, the security community is in agreement that it’s critical to protect the password layer. However, the way in which we approach this problem can differ greatly. In this post, we’ll contrast two methods—Enzoic’s dynamic compromised credential screening solution and a more traditional, static approach. 

Microsoft Azure Active Directory Password Protection

Azure’s built-in Active Directory password protection product is an example of the latter. A fundamental drawback is that the static solution doesn’t do anything with passwords that have been exposed in prior breaches—a specific requirement outlined in NIST’s most recent guidance. This recommendation is designed to ensure passwords are not found in common cracking dictionaries which would make them easy for hackers to  guess and then utilize to breach additional systems and accounts.  

Another issue is the size of Microsoft’s common password list, which includes just 500 of the top passwords the company has seen in malicious login attempts. Though Microsoft expands this list by performing permutations and combinations, it still remains woefully small in the face of our ever-evolving threat landscape. Ultimately, because Microsoft’s password protection relies on the company’s own research and analysis, it misses many key areas and can leave an organization vulnerable to attack. These include: 

  • Missed Regional Differences: Exposed passwords from data breaches differ by region, but due to Microsoft’s small initial root list this vulnerability isn’t addressed in the solution. As this Azure AD Password Protection product review highlights, the solution accepted the name of a popular UK soccer team as a password, yet it appears in our database as a breached password. 
  • Missed Patterns: Microsoft uses a complicated scoring method to evaluate passwords and, as a result, even obviously weak passwords such as “Micr0soft124!” are able to pass.
  • Missed Fresh Data. As mentioned above, by relying entirely on an algorithm rather than research Microsoft’s root list lacks data from the most recent data breaches. Given that hackers actively scour the Dark Web for newly compromised credentials, this could easily roll out the welcome mat for an attack. 
  • Missed Continuous Protection. Once a password has passed the initial screening, Microsoft doesn’t check whether it has become compromised down the road. 

Of course, Microsoft Azure AD Password Protection is not an entirely ineffective solution as it can certainly prevent against password spraying attacks. However, their approach misses many other types of attacks, including  brute force, advanced persistent threats, and credential stuffing. Microsoft addresses this by encouraging the usage of MFA in conjunction with the Azure AD Password Protection solution. At Enzoic, we’ve built these considerations into our credential screening solution. 

Enzoic for Active Directory 

Enzoic for  Active Directory is a comprehensive, dynamic solution that provides unparalleled protection at the password layer. Unlike Microsoft’s static list, our solution draws on our proprietary database of multiple billions of unique exposed passwords. Our dynamic list is updated multiple times daily, ensuring that passwords are cross-referenced against data from the most recent breaches and easily addressing NIST’s real-time detection requirements. 

Additional benefits of our dynamic approach include: 

  • Real-Time Threat Intelligence: We index newly compromised passwords on a daily basis, ensuring companies have immediate protection should credentials associated with Active Directory accounts appear on the public Internet or Dark Web.
  • Stronger Passwords: Because Enzoic continuously monitors for breached credentials, organizations can eliminate the legacy practice of mandatory password resets and enforce a change only if a compromise is detected. This improves security as users will choose stronger passwords if they are not expected to change them frequently and also reduces the IT cost and resources associated with password resets.
  • Automated Assurance: By screening passwords on a daily basis, in addition to at their creation, we provide continuous password protection with minimum IT involvement. Should an existing password become vulnerable the remediation steps are automated, ensuring that action is taken immediately without relying on human intervention.

In addition, the very nature of our dynamic approach ensures that regional differences, use of common passwords, and other shortcomings of Microsoft’s solution are seamlessly addressed.

Password security is a fundamental yet complicated enterprise priority, and additional authentication mechanisms are often required in order to protect sensitive data. But with breaches happening virtually every moment, a dynamic solution that addresses  NIST guidelines and cross-references passwords against a continuously updated database is critical to staying a step ahead of hackers. 

Click here to learn more about Enzoic for Active Directory and get started with your free trial today.