We wanted to bring to your attention a recently reported flaw in Azure Active Directory (AAD) that references the ability for an attacker to ‘brute force’ passwords.  Firstly, what is AAD?  AAD is what Microsoft (and your organization) uses to identify your users and allows them to access your company data.  Secondly, what does it mean to brute force a password?  Password brute forcing is a technique in which many different passwords are used to guess the correct password for your account.

This flaw is important because it allows brute forcing of a user’s credentials without the attacker’s activities generating attempted sign-in events.  This is significant because IT security protection relies on generation of these sign-in events in order to monitor suspicious activities.

What can your organization do to protect itself against this attack method?  Because of how this flaw works, if a user has a unique password, a brute force password attack is less likely to succeed.  The problem is, attackers use an automated method to brute force your password using tens of millions of passwords stolen from other people.  If your password matches one of those that have been stolen before, your account is at risk of being successfully ‘brute forced’.

The best defense against this type of attack is to remind your employees to create unique passphrases.  A passphrase is a string of words that are easy to remember and will meet any password security requirements.

A passphrase is stronger than a single password because it increases the randomness in a password, making it harder to guess. Also, passphrases are a simpler way to create and remember strong passwords. The best practices when creating good passphrases can be found online but don’t use their exact examples!