What is the threat?
One of the largest threats to organizations today, especially those with externally facing systems or cloud providers are authentication attacks at the user level. One of these attacks is called “password spraying”. It involves the gathering of common passwords such as “Welcome2018” or “Winter2019” and trying these passwords against each known username in the domain. By using this method an attacker can try these username/password combinations on all the users of a network or on a cloud service like Office 365. Traditional safeguards, such as lockout policies, only protect from numerous password attempts on a single account, this attack focuses on doing the opposite, it tries the same password on numerous accounts, because each account only registers one failed login there is no effective way to block this activity.
What is being done about it?
In our continued effort to help prevent such attacks and related threats we are implementing a new password filtering service across our entire managed client base. This service uses the haveibeenpwned database to filter user passwords during password changes to make sure they are not trying to use a password that is already on a breached list. The database currently contains more than 500 million breached passwords with more being added as breaches occur. We will be deploying this over the next several weeks and it will take effect when the server is rebooted during your normally scheduled maintenance.
What else can I do?
Increase the strength of your password policy by requiring longer passwords with complexity and lowering the lockout threshold. We recommend a minimum password length of 14 characters (for security the more characters the better) and a lockout threshold of 5 attempts with automatic unlocking disabled.