During my several mission, I have often eared that:
“We don’t want to use Password Hash Sync, because we don’t want to send our passwords on the cloud !”
And so we entering in a long conversion to explain in depth what is exactly P#S, and especially what is not P#S.
PHS What it is not ?
- PHS doesn’t sync actual passwords
- It syncs the hashes of passwords
- which have all undergone a per-user salt and 1,000 iterations of the HMAC-SHA256 key hashing algorithm, before being sent to Azure Active Directory
- The SHA256 hash cannot be decrypted
- so the plain-text version of the password is never and can never be exposed to Microsoft
PHS – AAD Connect deep dive
- With PHS your Identity Management provider is moved from your current provider to Azure AD
- Move from on-premises Identity Management provider to a platform-as-a-service (PaaS) provider
- Denial of Service (DoS) and/or Password Spray attack on Microsoft side, Microsoft will take the brunt of that traffic
- Utilize Microsoft’s telemetry that gives organizations the power of Microsoft’s intelligence
PHS – Security Advantages
- Smart Lockout
- Assists in blocking bad actors who are attempting to brute force passwords.
- By default, Smart Lockout locks the account from sign-in attempts for one minute after ten failed attempts.
- Smart Lockout tracks the last three bad password hashes to avoid re-incrementing the lockout counter.
- IP Lockout
- Works by analyzing those billions of sign-ins to assess the quality of traffic from each IP address hitting Microsoft’s systems.
- With that analysis, IP Lockout finds IP addresses acting maliciously, such as an IP that is password spraying the tenant, and blocks those sign-ins in real-time, while allowing the real user to continue to successfully sign in.
- Microsoft Leaked Credentials Service
- Acquires username/password pairs by monitoring public web sites and the Dark Web and by working with:
- Law enforcement
- Microsoft Security teams
- Other trusted sources
- When the service acquires username/password pairs, the passwords are sent through the same hashing algorithm and are checked against Azure AD users’ password hashes.