Under Attack?
AUTHOR: SIARHEI STARASVETSKI

If Your Security Team Uses Password Spraying, Read This First

Password spraying is one of the most reliable techniques in offensive security...until it isn't. As more enterprises migrate identity to Microsoft Entra ID, a quietly enforced control called the Global Banned Password List (BPL) is degrading the effectiveness of traditional spraying approaches. Most security teams don't know how it works. Attackers are already figuring it out.

This matters to CISOs and security leaders validating their identity attack surface, red teamers and penetration testers who need realistic, environment-aware techniques, and IT and security operations teams responsible for enforcing strong authentication in Entra ID environments. If your organization runs Microsoft 365, Azure AD, or Entra ID (and most do) this is directly relevant to how your credentials are evaluated and how an adversary would attack them.

Introduction

Password spraying has long been a staple technique in penetration testing and red teaming. However, its effectiveness has significantly declined as targets begin moving to Microsoft Entra ID as an identity provider. Microsoft’s Global Banned Password List (BPL) is a major factor behind this shift: a little known security measure designed to prevent users from selecting weak or easily guessable passwords. While this is a genuine improvement for organizations on Entra ID, attackers will adapt. The goal is to understand that adaptation before they do.

This led us to ask: How does Microsoft’s BPL work, and can we adapt our approach before the attackers do?

To find answers, we examined Microsoft's official documentation on Password Protection in Microsoft Entra ID. While Microsoft keeps the BPL confidential to prevent attackers from creating passwords that evade detection, the cybersecurity team at Synacktiv managed to extract and publish the list, making it publicly available on their GitHub repository.

Here's how Microsoft enforces these restrictions, and what it means for both offensive testing and defensive hardening.

How Microsoft Evaluates Passwords

Microsoft’s Documentation

"The global banned password list is automatically applied to all users in a Microsoft Entra tenant. There's nothing to enable or configure, and it can't be disabled. This global banned password list is applied to users when they change or reset their own password through Microsoft Entra ID."

The Password Evaluation Process

When a user creates or changes a password, Microsoft Entra ID evaluates it through a multi-step process:

  1. Normalization: The password is converted to lowercase, and common character substitutions are applied.
    • Example: P@$$w0rd2025 → password2025
  2. Matching Against Banned Words: The system checks if the password contains exact matches from the BPL. However, a match alone does not necessarily result in rejection.
  3. Scoring System: Microsoft assigns points based on the password’s structure:
    • Each banned word found in the password adds 1 point.
    • Every remaining character not part of a banned entry adds 1 point.
    • If the total score reaches 5 or more, the password is accepted; otherwise, it is rejected.

Example: How Microsoft Scores a Password

Let’s analyze the password P@$$w0rd2025:

  • After normalization → password2025
  • "password" = 1 point
  • "2025" = 1 point
  • Total Score = 2 → Rejected (Below the threshold)

Now, let’s slightly modify it to P@$$w0rd2025b@d:

  • After normalization → password2025bad
  • "password" = 1 point
  • "2025" = 1 point
  • "b", "a", and "d" (not in BPL) each contribute 1 point
  • Total Score = 5 → Accepted (Meets the threshold)

Key Takeaway:

The scoring logic creates a structural loophole: appending a small number of non-banned characters can make an otherwise rejected password valid. For defenders, this means user-selected passwords that appear complex may still be weak under real-world attack conditions. For penetration testers, it means spray lists built without BPL awareness will miss viable candidates and produce false assurance.

This is exactly the kind of identity control gap that surfaces during an internal penetration test or assumed breach engagement, where realistic credential attacks against Active Directory and Entra ID environments reveal what your security stack will and won't catch.

Developing a BPL-Aware Password Analysis Tool

Understanding the evaluation process allowed us to build spray candidate lists more accurately. To automate this, we built a Python tool called bpl.py that evaluates whether a password will be accepted or rejected by Microsoft Entra ID before it's ever used in testing.

How bpl.py Works

  • Takes the Global BPL and either a single password or a file of candidates as input
  • Evaluates each password against Microsoft's scoring model
  • Outputs a breakdown that filters out non-viable passwords before spraying begins

bpl.py

By screening candidates through bpl.py first, engagements become more precise: fewer failed attempts, more signal, less noise. This reflects how mature red team operations work: environment-aware, deliberate, and built to surface real risk rather than generate volume.

BPL AI-Powered Password Generation GPT

While developing bpl.py, we needed a large, realistic dataset of candidate passwords to test against. Manual generation wasn't scalable, so we trained a custom GPT model to automate the process.

How We Built the Model

We analyzed years of data from our password-cracking infrastructure to identify:

  • The most commonly used base words in real-world passwords
  • Where uppercase letters, special characters, and digits typically appear
  • Average password lengths and structural patterns

These patterns informed the BPL AI-Powered Password Generation GPT model, which generates realistic, environment-relevant password candidates for use in authorized testing.

Customizing Password Generation

BPL GPT prompts users with the following configuration options:

  1. Base Words:
    • “What base words would you like to use for generating passwords? (Enter words separated by commas.)”
  2. Password Length:
    • “What is the shortest password length? (Default: 8 characters.)”
    • “What is the longest password length? (Default: 16 characters.)”
  3. Inclusion of Multiple Words:
    • “Should each password include all seed words? (Enter true or false.)”
  4. Common Words from Most Common Password List:
    • “Would you like to include common words from the Most Common Password List?”
  5. Number of Passwords to Generate:
    • “How many passwords would you like to generate?”

Generated candidates are then evaluated through bpl.py to confirm they meet the minimum score threshold before use.

What This Means for Your Security Program

The BPL is a real control but it's not a sufficient one on its own. Users can still create weak-but-compliant passwords. Spraying attacks against Entra ID environments are evolving to account for exactly this gap.

Organizations in healthcare, financial services, higher education, and manufacturing (i.e., industries that handle sensitive data and face regulatory pressure around access controls) are frequent targets of credential-based attacks. Password spraying remains one of the lowest-friction initial access techniques available to attackers, because it requires no malware, no exploit, and no physical access. It needs one valid credential.

Understanding how these attacks work in your environment is the starting point. Testing whether your controls actually stop them is the next step. A penetration test that simulates realistic credential attacks including BPL-aware spraying against your Entra ID configuration gives you direct visibility into that gap before someone else finds it.

If your program includes red team operations or purple team exercises, this kind of identity-focused adversary simulation belongs in scope. It's also a natural input for a fractional CISO or security advisor helping you evaluate your identity security posture against current threat patterns.

Conclusion

Microsoft Entra ID's Global Banned Password List has meaningfully reduced the effectiveness of traditional password spraying. But the underlying attack surface hasn't disappeared, it's changed shape. By understanding how Microsoft scores and evaluates passwords, penetration testers can build more accurate, environment-aware candidate lists. Defenders can use the same knowledge to configure identity controls and train users more effectively.

The gap isn't in Microsoft's design. It's in assuming the control is more comprehensive than it is.
Like it? Share it:

You may also like

Creating Better Passwords
Creating Better Passwords
21 January, 2025

Introduction The year is 2022 and the password war rages on. The heaviest casualties are IT support who constantly reset...

Read this article

Password Cracking 101
Password Cracking 101
21 January, 2025

Who doesn't love complex passwords?... Hackers!!! Let me explain, everyone knows that passwords are the most used method...

Read this article

Cooking for Hashcat: Improving Old Recipes and Exploring New Ones
Cooking for Hashcat: Improving Old Recipes and Exploring New Ones
21 January, 2025

Recorded at Grassr00tz 2024 in Appleton, Wisconsin, SEVN-X's Vitaliy "Kelly" Kovalchuk presents on improving password cr...

Read this article