Password‐Protection (Banned, BRUTE‐FORCE PROTECTION) - Yash-777/MyWorld GitHub Wiki
- Configure custom banned passwords for Microsoft Entra password protection
- Custom banned password list
Users often create passwords that use common local words such as a school, sports team, or famous person. These passwords are easy to guess, and weak against dictionary-based attacks. To enforce strong passwords in your organization, the Microsoft Entra custom banned password list lets you add specific strings to evaluate and block. A password change request fails if there's a match in the custom banned password list.
When a user or administrator tries to change or reset their credentials, the desired password is checked against the list of banned passwords. The password change request fails if there's a match in the global banned password list. You can't edit this default global banned password list.
- Brand names
- Product names
- Locations, such as company headquarters
- Company-specific internal terms
- Abbreviations that have specific company meaning
- Months and weekdays with your company's local languages
When a user attempts to reset a password to something that's on the global or custom banned password list, they see one of the following error messages:
BRUTE-FORCE PROTECTION OWSAP FoundationBrute Force Attack, WSTG - v4.2
- Brute-force protection prevents attackers from guessing login credentials using trial-and-error.
- Brute-force attacks involve trying many username-password combinations to gain unauthorized access.
- Common protection methods include:
-
Limiting login attempts (e.g.,
locking account or delaying after 3 failed tries). - Implementing
CAPTCHAto block automated bots.
-
Limiting login attempts (e.g.,
- These measures enhance login security and protect user accounts from unauthorized access.
| Profile page, select Change password | Error messages |
|---|---|
 |
> Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password.> Unfortunately, you can't use that password because it contains words or characters that have been blocked by your administrator. Please try again with a different password.> Authentication Failed> Invalid Credentials
|