“Starting November 9th, 2020 end users will no longer be able to grant consent to newly registered multitenant apps without verified publishers.“?!? What the hell?
It's been six months — half a year — since Firefox 114 was released with support for FIDO2/WebAuthn. Microsoft 365 support is still broken, particularly for Linux users. You can register a security key but cannot authenticate using it.
Amusingly, Microsoft doesn't even support its Edge browser on Linux.
I'm not sure if I get something wrong, but I think #Microsoft#Entra ID #Password Protection is complete rubbish. E.g. when ban weak passwords with the ominous 5 points rule the results seem to be completely arbitrary.
Microsoft speaks of including commonly used weak or compromised passwords in their Global banned password list. But the list isn't based on any external data source, so leaked passwords not leaked by Microsoft are not included 🤡.
This leads to:
Known leaked passwords are accepted. Location name plus year is accepted. Dictionary word plus year is accepted!!!
Not sure if this applies only to German dictionary words.
It gets even worse. Reading the documentation, I found "Characters not allowed: Unicode characters" WTF
Coming back to the weird point system. A banned password is not really banned, it gives you "only" 1 point (and you need five).
This leads to the question how many points do none-banned words give?
If you think it can't get worse, you're wrong! It looks like each character of a none-banned word gives one point. Meaning "password1234" is an accepted password. (1 point for password and 4 for each digit)
Or a real life example: The #SolarWInds#SupplyChain attach which affected Microsoft, US government agency and countless other organizations world wide, was cause by a weak FTP server password.
Namely "solarwinds123", which would be accepted by #Entra ID #Password Protection (1 point each for "solar" and "wind", 3 points for the numbers. If "solarwinds" would be on the custom banned list, "solarwind1234" would have been enough.
And you can't do anything against it.
I actually hope that the documentation is somewhat wrong and that "123" is not 3 points but 1 as it are consecutive numbers. But this would make it only marginal better (2023
And the Custom banned password list of #Microsoft#Entra ID #Password Protection just continues the joke.
First, it can only contain 1000 entries. And yes, I really don't want to manage a big custom list.
And it gets even worse. The list is intended to contain company specific banned words like brand or product names, company-specific internal terms as well as abbreviations. Entries must be at least 4 characters.
WTF, half the companies I worked for had 3 letter names. And there are many other BWM, KIA, SAP, IBM, GM, BBC, NBA, NFL, UPS, DHL, ...
And don't get me started on acronyms. #TLA (Three-Letter-Acronym) is a term for a reason.
This means, taking my current company as an example, that SMA12 would be an accepted password (if it would be for the length) because 'SMA' 3 points + '12' 2 points is 5 points).
To reach the necessary length you could simply combine it. E.g. 'SMASolar1' would be an accepted password even if 'Solar' was a banned word.
And I CAN'T do ANYTHING!!!
Or at least not anything sensible. If I start to put combinations of 'SMA*' in the custom banned pw list, I'm back at an inadequate big list I have to manage myself 🤮.
Call for #Help: I would be very happy if someone can show me that I'm wrong. The state of Microsoft Entra ID Password Protection is a MUCH bigger pain than that I would have been wrong 😜.
WHY are passwords part of the security telemetry data?
The only case where I see this as ok, would be in a honeypot.
And what kind of data would be in the security telemetry data? Usually it's failed attempts, so you risk overestimating passwords attacks which fail (anyway). Again, this would only be OK with honeypots.
But if you are getting your data solely from honeypots, I fear you're getting a pre-selected type of data. Namely opportunistic, random attacks not targeted attacks.
While I think it's valuable to protect against these kind ob attacks, I really would like passwords to withstand even targeted attacks, even from the inside.
E.g when the attackers are in the Lateral Movement or Privilege Escalation. Especially if the attackers can start to crack hashes.
For this Microsoft Entra ID Password Protection seems completely useless there.
They recommend to not mandate regular password changes (good) BUT they check the password against known bad passwords ONLY when changing it!
So to detect weak passwords I have to enforce a password change which is (rightfully) not recommended 🤡
You could simply do this on entry. Every time (or once a day) the user enters the password it is checked if it isn't well known and complies to the current rules.
Does anyone know a decent #selfhosted#idp? Complete overkill I know… but don’t really want to spin up an #entra tenant for basic #iam at home and cloud services.
I’m really not liking how #AI is key to everyone’s marketing strategy… especially in the #cyber#security space. Most orgs I work with are not mature in their identity/endpoint management space, and have a lot to do with the basics.
Why push the whole AI sell when 99% of the user base will get zero benefit?
Announcing General Availability of Authenticator Lite (in Outlook)
"Authenticator Lite (in Outlook) expands the opportunity to convert users by bringing the enhanced security of push notifications to devices that have not yet downloaded the Microsoft Authenticator App. "