Password Spraying Optimization

Introduction

Password spraying has long been a staple technique in penetration testing and red teaming. However, its effectiveness has significantly declined as targets begin moving to Microsoft Entra ID as an identity provider. Microsoft’s Global Banned Password List (BPL) is a major factor behind this shift—a little known security measure designed to prevent users from selecting weak or easily guessable passwords. While this is fantastic for users of the service, we all know attackers are going to adapt, so we want to beat them to it.

This lead us to ask: How does Microsoft’s BPL work, and can we adapt our approach before the attackers do?

To find answers, we examined Microsoft's official documentation on Password Protection in Microsoft Entra ID. While Microsoft keeps the BPL confidential to prevent attackers from creating passwords that evade detection, the cybersecurity team at Synacktiv managed to extract and publish the list, making it publicly available on their GitHub repository.

Let’s break down how Microsoft enforces these password restrictions.

How Microsoft Evaluates Passwords

Microsoft’s Documentation

"The global banned password list is automatically applied to all users in a Microsoft Entra tenant. There's nothing to enable or configure, and it can't be disabled. This global banned password list is applied to users when they change or reset their own password through Microsoft Entra ID."

The Password Evaluation Process

When a user creates or changes a password, Microsoft Entra ID evaluates it through a multi-step process:

1. Normalization – The password is converted to lowercase, and common character substitutions are applied.
   • Example: P@$$w0rd2025 → password2025
2. Matching Against Banned Words – The system checks if the password contains exact matches from the BPL. However, a match alone does not necessarily result in rejection.
3. Scoring System – Microsoft assigns points based on the password’s structure:
   • Each banned word found in the password adds 1 point.
   • Every remaining character not part of a banned entry adds 1 point.
   • If the total score reaches 5 or more, the password is accepted; otherwise, it is rejected.

Example: How Microsoft Scores a Password

Let’s analyze the password P@$$w0rd2025:

• After normalization → password2025
• "password" = 1 point
• "2025" = 1 point
• Total Score = 2 → Rejected (Below the threshold)

Now, let’s slightly modify it to P@$$w0rd2025b@d:

• After normalization → password2025bad
• "password" = 1 point
• "2025" = 1 point
• "b", "a", and "d" (not in BPL) each contribute 1 point
• Total Score = 5 → Accepted (Meets the threshold)

Key Takeaway:

This scoring system reveals an interesting loophole—appending a few extra characters can make an otherwise banned password valid.

Developing a BPL-Aware Password Analysis Tool

Understanding the evaluation process allowed us to craft candidate passwords for spraying more effectively. To automate this process, we built a Python tool called bpl.py that evaluates whether a password will be accepted or rejected by Microsoft Entra ID.

How bpl.py Works

• bpl.pt takes in the Global BPL and either a single password or a file with multiple passwords.
• Each password is evaluated against Microsoft’s scoring system.
• A detailed breakdown is provided, helping filter out weak passwords before attempting spraying attacks.

By using bpl.py, we can ensure that only viable passwords are selected, making our approach more systematic and efficient. 

BPL AI-Powered Password Generation GPT

While developing bpl.py, another challenge emerged—we needed a large dataset of passwords to test. Manually generating variations was inefficient, so we trained a custom GPT model to automate the process.

How We Built the Model

We analyzed years of data from our password-cracking machine to understand:

• The most commonly used words in passwords.
• Where uppercase letters, special characters, and digits are typically placed.
• The average password length and structure.

Using these insights, we developed the BPL AI-Powered Password Generation GPT model to generate realistic passwords.

Customizing Password Generation

BPL GPT prompts users with customization options:

1. Base Words:
   • “What base words would you like to use for generating passwords? (Enter words separated by commas.)”
2. Password Length:
   • “What is the shortest password length? (Default: 8 characters.)”
   • “What is the longest password length? (Default: 16 characters.)”
3. Inclusion of Multiple Words:
   • “Should each password include all seed words? (Enter true or false.)”
4. Common Words from Most Common Password List:
   • “Would you like to include common words from the Most Common Password List?”
5. Number of Passwords to Generate:
   • “How many passwords would you like to generate?”

Once generated, these passwords can be evaluated using bpl.py to ensure they meet the minimum score for password spraying.

Conclusion

Microsoft Entra ID’s Global Banned Password List (BPL) has significantly reduced the effectiveness of traditional password spraying attacks. However, by understanding how Microsoft evaluates passwords, penetration testers can refine their strategies, continue to identify potentially weak passwords for their customers, and defenders can continue to train users, and configured systems to accepts strong passwords which mitigate evolving threats.