Skip to main content

Back to Blog

How Entra Password Protection Identifies a “Bad” Password

(and Why It Doesn’t Protect You)

Relying on Microsoft’s Entra (previously known as Azure AD) Password Protection feature to keep weak and compromised passwords out of your environment can leave your users and data at risk. Entra Password Protection ignores the vast majority of compromised and blacklisted passwords and doesn’t actively scan for bad passwords. Another problematic element of Entra Password Protection is its confusing score calculation – the way the feature evaluates “bad” passwords.

Every time a user changes or resets their password, Entra Password Protection will evaluate its weaknesses and assign a score based on specific criteria. The utility of this score is questionable, however, because even passwords that contain entries from their own Global Banned Password List can receive passing scores. (Forget about evaluating all other exposed passwords from data breaches!) In Microsoft’s own words, “Even if a user’s password contains a banned password, the password may be accepted if the overall password is otherwise strong enough.” Since Microsoft’s telemetry doesn’t explicitly include cracking dictionary values, it’s possible for users to select passwords or parts of passwords that appear in cracking dictionaries.

The Method to Their Madness: Entra Password Protection Score Calculation

According to Microsoft’s documentation, Entra Password Protection evaluates a new password “for strength and complexity by validating it against the combined list of terms from the global and custom banned password lists.” They create their Global Banned Password List by analyzing Entra ID security telemetry data to build a list of “base terms” discovered in weak passwords. Then, administrators can create a custom list of terms to ban from their organization. The score calculation feature relies on these two lists to determine how secure a newly configured password might be.

In step one, the proposed password is normalized. This means changing the uppercase letters to lowercase letters and performing a limited set of leetspeak character substitutions. For example, a zero becomes an “o”, a $ becomes an “s”, and @ becomes an “a”. Although this is a crucial password protection strategy, some of the most common variants aren’t accounted for, such as 1 for L or 4 for A.

Then, the normalized password is checked against the two lists to calculate a failing or a passing score:

  • Any obvious, direct matches are rejected. This means a password will not pass if it is on the banned list but has leetspeak substitutions. The word “blank” is banned, so “Bl@nK” is also banned.
  • If the attempt closely matches something on the banned lists, it might be rejected too. Anything from the banned lists that has been edited slightly, within an edit distance of one, is denied. If the proposed password adds, removes, or swaps the last character of an entry in the banned list, it won’t pass.
  • If a password includes the name of the user, it also fails.

If the password isn’t rejected, Entra Password Protection will calculate a score with its narrow point system. For each banned word within the new password, it receives a point. Another point is given for each remaining character not part of a forbidden term. Any password with a score of at least five points will be given the green light. Could you explain this to a user who wants to know why their password was rejected?

While these guidelines offer a basic level of protection, hackers can still gain access to accounts using variations of easy-to-guess passwords. As we know, weak and leaked passwords often lead to successful password spraying and ransomware attacks.

The Need for a More Robust Password Solution

The use of stolen or compromised credentials is the most common cause of a data breach, according to IBM’s Cost of a Data Breach Report 2022. Microsoft’s password policy recommendations suggest that system administrators ban common passwords to ensure that at-risk passwords are kept out of the system. Given that AD Password protection doesn’t attempt to include compromised passwords or values from cracking dictionaries, it is not a powerful enough password solution to ensure your users do not select passwords that will make your system vulnerable to attack.

Microsoft also does not recommend mandatory periodic password resets or enforce character composition requirements; furthermore, their password protection feature does not continuously monitor passwords for exposure with up-to-date data breach intelligence.

Microsoft knows their users require a dynamic versus static password protection strategy. To successfully bridge this gap, Enzoic for Active Directory offers stronger protection than Entra Password Protection to safeguard the password layer of your authentication security stack. Our solution enables your team to automatically enforce password standards that align with industry recommendations and compliance standards, ensuring that your accounts, PII, and data stay secure. In addition, Enzoic continuously monitors for compromised passwords on the dark web and features automated remediation, so user accounts remain protected even if sensitive information is exposed in a breach.