[MUSIC] Rohini Goyal: Hello, everyone, and thanks for joining us again in the second part of the Azure AD Password Protection video series. My name is Rohini Goyal and I am a PM in Identity Division. I hope you have gone through the previous video in this series, which provides an overview of password protection. In this video, we will talk about how to enable password protection and the details around the underlying banned password algorithm. Azure AD Password Protection provides a unified admin experience for smart lockout, banned passwords, and enabling password protection banned passwords in your on-prem environment. In order to configure your password protection settings, you’ll need to first log into Azure Portal with a global administrator or a security administrator account. Navigate to Azure Active Directory, then authentication methods, and there you’ll see the password protection blade. Here, you’ll see at the top we have the smart lockout configuration. Now, the second major part of password protection is banned passwords. And banned passwords consists of three parts. First, we have the Global Banned Password List. This is a growing list which Microsoft defines containing common words, passwords, and phrases. Second, we have the Custom Banned Password List, and this is where you can define organization specific terms. And third, we have the Banned Password Algorithm, which I will go through in just a moment. When you go to configure your Custom Banned Password List, make sure to only add in words and phrases that are unique to your organization. And we recommend starting off by adding in your organization’s name and all of its variations, names of flagship products you sell, headquarter locations, and names of the important individuals in your organization. The custom list will allow you to enter roughly 1,000 words and phrases. You don’t need to enter the variations of each password, since the Banned Password Algorithm will account for that. And as previously mentioned, password protection is available for your on-premise environment as well. If you have an on-premise environment, I recommend you to watch the third video in this series, where Aakashi walks you through how to deploy in your environment. But there are two simple settings that can be configured through Azure Portal. If you’re looking to deploy this feature in your on-premise environment, be sure to have enabled password protection on-prem by setting the first toggle to yes. Additionally, you can deploy banned passwords in audit mode or kind of a what if mode. When users go to change or reset their password, password protection won't kick in, but it will log whenever a password change or reset attempt would have been blocked. This gives you the ability to see the impact password protection and your custom list will have in your environment. This can be extremely valuable information to further finetune your custom list or educate your users about password strength before you start enforcing password protection in your environment. Now, let’s dive a little deeper into the Banned Password Algorithm and how password protection evaluates password strength. Password protection banned passwords consists of the Global Banned Password List, a list of common passwords defined by Microsoft and the Custom Banned Password List, which you or your administrator will configure. Now, before a password is evaluated, these two lists are combined together into one large banned password list. Keep in mind, that password protection is evaluated whenever a user goes to reset or change their password. The Banned Password Algorithm starts off the password strength evaluation by normalizing the password. This consists of changing all capital letters to lower case and performing common character substitution. Now, users try to outsmart common passwords by changing the A character to an @ symbol or changing the S to a dollar sign. But the Banned Password Algorithm identifies these character substitutions in the user’s new password and replaces them with the associated letter. Next, the Banned Password Algorithm takes the normalized password and performs fuzzy matching to identify if it contains a word or phrase found in the combined password list. Fuzzy matching is performed with an edit distance of one. This means a match doesn’t need to be exactly perfect for the algorithm to identify a password contains a banned word. It’s possible for a password to contain a word or phrase found in the global list and a word of phrase found in the custom list you configured, and that’s totally fine. The algorithm will be able to detect all of that. Once the algorithm has identified all of the banned passwords in the user’s password, it’s time for the algorithm to assign the password a score. Every banned password is given one point. Every unique character is given one point. And at the end, the points are totaled up. If a password is given five or more points, the algorithm deems the password to be strong enough and will let the user continue configuring that password during the password changer reset flow. If the password has fewer than five points, the password will be rejected and the user will have to try again. Let’s walk through a few examples. Let’s assume that after combining the Global and the Custom Banned Password List, our large banned password list consists of the word password and admin. This is the list we will be using to identify if a user’s password has banned password in it. The user is changing their password, enters in the password as shown on the screen. At first glance, it looks very complex. We have a mix of capital and lower case letters. There are multiple special characters all throughout the password. And the user has even added numbers to the password. But the Banned Password Algorithm might say otherwise. First, the algorithm will normalize the password. It will remove all upper case letters and perform common character substitution. This will result in the user’s initial password being transformed into password12. Now that the password has been normalized, the algorithm finds all words and phrases and character patterns that are in the banned list. Here, the algorithm finds that the normalized password contains the word password, which as you can see is a banned password. Finally, the algorithm assigns a score for the password and determines if it’s strong enough for the user to use. Every banned word is given one point and every unique character is given one point. So here, we have password, which is given one point since it’s a banned word and the numbers 1 and 2 are each given one point since they’re unique characters that are not found in our banned list. After we sum up the points, the user’s password was a total of three points. Since that is under the algorithm’s minimum bar of five points, the user’s password is rejected and the user must try again. Let’s go through one more example. Just like the previous example, our combined password list consists of the words password and admin. This time, the user enters in this long password. The algorithm starts by normalizing the password by lower casing all characters and performing common character substitution. After normalization, we are left with admin1password13. Next, the algorithm finds all banned passwords and returns that it found admin and password. The last step is for the algorithm to provide a score for the password and determine if it was strong enough for the user to use. Starting from the beginning, we see the word admin. This is will get one point, since it’s a banned password. The number one is a unique character that is not found in our Banned Password List, so it will receive one point as well. Password, which is a banned word, will receive one point and the numbers 1 and 3 will each receive one point for being unique characters. After totaling all of this up, we see that the password was given five points. Now, this meets the algorithm’s requirements and the user is able to use this password. The goal of the score based algorithm is to strike a balance between usability and security. We want to prevent our users from configuring weak passwords that leave their account in a vulnerable state. But we also don’t want to make it impossible for the users to configure a password and leave them frustrated when what seems like a strong password isn’t be let through by the algorithm. A score based algorithm let us accomplish this. Now, that wraps up the overview of how password protection banned password works. If you have any questions about the algorithm or suggestions on how we can improve our logic, feel free to reach out to us at aadppfeedback@microsoft.com. If you’re interested in learning about how to deploy password protection in your on-premise environment, stay tuned for the next video in the series. [MUSIC]
