Complex passwords, frequent changes, and ambiguous password complexity requirements are all too common in organisations. These policies are complex for users and invariably lead to weaker password use. Azure has a solution and in this post we explore securing passwords with Azure AD Password Protection.
Organisations define password policies to ensure that their users are not setting weak passwords that can be easily compromised. In this article, we explore securing passwords with Azure AD Password Protection and whether it can help make you more secure but also easier on your users.
Traditional password policies in Active Directory rely on basic filters to determine the number of characters and type of characters including numbers, letters, and symbols. On face value these policies may seem secure, however, are these policies actually causing the problem and much weaker than you think?
Reviewing your current policy
Let’s start this article with a background check to see how secure your users’ passwords are. Head over to Active Directory or wherever you set your password policy today and check what it is. We can use this to look at where you are today vs. where you can go by securing passwords with Azure AD Password Protection.
The failings of traditional policies
The issue with traditional password policies is that they force users to adopt bad password habits. In the sections below, we’ll explore how a few of them look.
Combining case and numbers
Yes, it is true that using combinations of uppercase and lowercase letters, numbers, and symbols increases password strength. A quick Google search shows us one article by Thycotic (https://thycotic.force.com/support/s/article/Calculating-Password-Complexity) stating that the difference between cracking an all-lowercase text password vs. a mixed case and numbered password hugely impacts the cracking time: two days vs. roughly one and a half years.
Frequency of change
The second issue with traditional policies is the frequency of password changes. Both NIST (https://jumpcloud.com/blog/nist-800-63-password-guidelines/#cookie-accept) and the UK National Cyber Security Centre (https://www.ncsc.gov.uk/collection/passwords/updating-your-approach) no longer recommend this practice.
The recommended practice in 2020 and beyond is now that passwords are in fact allowed to live on for much longer. Requiring frequent password changes encourages users to use weaker passwords that are easier to remember and also promotes repetition with passwords like Password1 and Password2.
Password minimum age and re-use
Another issue is with minimum password ages and re-use. If a password policy requires a certain type of password and requires it to be changed every 30 days, some users will get creative and repeatedly change their password to cycle it back to the original one. This can be mitigated with maintaining a password history, however, even remembering 12 or 24 passwords may not stop some users.
Maintaining complex passwords
So how do we combat the issues outlined above? The first fix is to drop the requirement for routine password changes. NIST and NCSC recommend no longer expiring passwords and only changing them when a breach is known to have occurred. Some organisations may opt for the middle ground and require password changes once every 12 or 24 months and we think that’s an acceptable middle ground.
The next step, which is the main focus of this post, is to use technology to help us maintain complex passwords so that we can help everyone keep secure users’ passwords.
Start Securing Passwords with Azure AD Password Protection
Azure AD Password Protection is a technical solution to meet the needs of modern passwords. Azure AD Password Protection works either standalone in the cloud or in conjunction with your on-premises environment.
What does Azure AD Password Protection do?
Password policies only check for things like length and complexity. The problem with these is that they can’t take into account things like simple passwords (e.g. Password1!) that would otherwise meet the length and complexity. Another issue is that it would be frowned up for users to be using passwords that include things like the name of the company or a product because those would also be easy to guess.
Azure AD Password Protection inspects password change events. If the password is found to include easy to guess and crack words from a list managed by Microsoft or words from a custom list you define, the password change is defined.
Azure AD Password Protection natively in Azure AD
In native cloud environments where there is no hybrid connection to Active Directory, Azure AD Password Protection works by being directly connected to Azure AD and intercepting all of the password change activity.
Azure AD Password Protection with hybrid Active Directory
The deployment of Azure AD Password Protection is actually pretty simple and consists of three elements. The first is the configuration in Azure. The options aren’t vast or complicated but it’s the first step none-the-less.
The second step is to set-up the Azure AD Password Protection Proxy Service. The Proxy Service is the part that communicates between on-premises and Azure to retrieve the policy you configured in the Password Protection service and Active Directory. The configured policy is downloaded and stored within Active Directory.
The third and final step is to set-up the Domain Controller Agent. The Domain Controller Agent acts as a Password Filter Driver. Installed on the Domain Controllers, it intercepts password change requests received from clients. The Domain Controller Agent using a Windows Service retrieves the downloaded copy of the policy that was retrieved by the Proxy Service and then caches it locally.
When a user attempts a password change, the requested password is compared against both traditional password policies in Active Directory and also against the policy configured in Azure AD Password Protection.
Licensing for Azure AD Password Protection
Azure AD Password Protection does require a license for some circumstances of use.
If you are a cloud-only environment with no hybrid set-up between Azure AD and Active Directory and you have cloud-only users who are changing their passwords in the cloud then you can use Azure AD Password Protection entirely for free and there’s nothing to do other than configure the settings.
If you are a hybrid environment with Active Directory on-premises and you are using Azure AD Connect to sync user objects to Azure AD then you do require a license. Fortunately, Azure AD Password Protection is included as part of Azure AD Premium P1 and P2.
If you have either a standalone license for Azure AD Premium, have Enterprise Mobility Suite E3 or E5, or you have Microsoft 365 E3 or E5, then you already have the license required.
Moving forward with Azure AD Password Protection
If you’ve read this article and thought we should look at Azure AD Password Protection or maybe you aren’t sure what licenses you have and whether you have the licenses needed, speak to us at Arcible and we can help you learn more.