Table of Contents
- Prerequisites & Limitations
- List of few common passwords
- End of Document
Purpose of this document is to explain how to mitigate one of the loop holes where attackers/ hackers can try to penetrate in your environment due to weak password policy.
Most of the user keeps password like (Welcome@123, Passwod1, etc) for their convenience where attackers/ hackers can easily penetrate in your environment with guessing passwords (like company name, First name, Last name, country name, commonly used password etc).
Since azure support SSO (Single singe on), once attacker able to penetrate with guessing password, he can easily access other applications due to SSO.
Ex: Once hacker able to guess your password, he can login to any application which is configured as SSO (Ex: Azure, Web email, SharePoint, O365 or any other applications which is SSO enabled.)
To restrict user to put very common password, you should apply Azure Password Policy “Enforce Custom banned password list” in Azure AD, which will protect your environment for attackers/ hackers.
This mitigation also increase your score in Audit.
- You can apply Enforce custom banned password list only if you have Azure AD P1 or P2 License.
- Enforce custom banned password list can contain up to 1000 words.
- Minimum password length is 4 characters.
- Azure portal and browse Azure Active Directory => Security => Authentication methods => Password protection
- Set Enforce custom list = Yes.
- Add strings in Custom banned password list, and click Save.
111111 123456 123123 222222 Admin password Password1 Welcome@123 qwerty qazwsx
Login to https://portal.azure.com => Click on logged in users => View account => Change password => Provide new password
If user put any of the password which matches within banned password (common passwords), User will get below message. Now user needs to put a strong complex password which will protect your environment with hackers.