Scoring password in Azure AD password protection
Today, Azure AD Password Protection scores the normalized new password with this rules:
1. Each banned password that is found in a user’s password is given one point.
2. Each remaining unique character is given one point.
3. A password must be at least five (5) points for it to be accepted.
If you use a banned word like "contoso", the score of the password grows with +1. A new password with 5 banned password(s), you will have an accepted password.
If you choose one of the following password as a new password, it will be accepted:
"contosocontosocontosocontosocontoso" --> [contoso] + [contoso] + [contoso] + [contoso] + [contoso] = 5 points --> accepted
"pa$$w0rdpassw0rdpa$$wordpasswordpa$sw0rd" --> [pa$$w0rd] + [passw0rd] + [pa$$word] + [password] + [pa$sw0rd] = 5 points --> accepted
This pattern is too simple. Especially when company-related words are used repeatedly.
My suggestion is, that a banned word in a new password is rated only once (+1), even if it occurs more often.
The new score would be like this:
"contosocontosocontosocontosocontoso" --> 1 points --> NOT accepted
"contosocontosoT13Z" --> [contosocontoso] + [T] +  +  + [Z] = 5 points --> accepted
I suggest that a maximum of two banned pwds are scored, even if there are different.
Hubert Mülhauser commented
Yes, is realy a Problem!