Demystifying Password Hash Sync

Yann Graindorge

During my several mission, I have often eared that:
“We don’t want to use Password Hash Sync, because we don’t want to send our passwords on the cloud !”
And so we entering in a long conversion to explain in depth what is exactly P#S, and especially what is not P#S.

PHS What it is not ?

  • PHS doesn’t sync actual passwords
  • It syncs the hashes of passwords
    • which have all undergone a per-user salt and 1,000 iterations of the HMAC-SHA256 key hashing algorithm, before being sent to Azure Active Directory
  • The SHA256 hash cannot be decrypted
    • so the plain-text version of the password is never and can never be exposed to Microsoft

PHS – AAD Connect deep dive

With PHS

  • With PHS your Identity Management provider is moved from your current provider to Azure AD
  • Move from on-premises Identity Management provider to a platform-as-a-service (PaaS) provider
  • Denial of Service (DoS) and/or Password Spray attack on Microsoft side, Microsoft will take the brunt of that traffic
  • Utilize Microsoft’s telemetry that gives organizations the power of Microsoft’s intelligence

PHS – Security Advantages

  • Smart Lockout
    • Assists in blocking bad actors who are attempting to brute force passwords.
    • By default, Smart Lockout locks the account from sign-in attempts for one minute after ten failed attempts.
    • Smart Lockout tracks the last three bad password hashes to avoid re-incrementing the lockout counter.
  • IP Lockout
    • Works by analyzing those billions of sign-ins to assess the quality of traffic from each IP address hitting Microsoft’s systems.
    • With that analysis, IP Lockout finds IP addresses acting maliciously, such as an IP that is password spraying the tenant, and blocks those sign-ins in real-time, while allowing the real user to continue to successfully sign in.
  • Microsoft Leaked Credentials Service
    • Acquires username/password pairs by monitoring public web sites and the Dark Web and by working with:
      • Researchers
      • Law enforcement
      • Microsoft Security teams
      • Other trusted sources
    • When the service acquires username/password pairs, the passwords are sent through the same hashing algorithm and are checked against Azure AD users’ password hashes.