Microsoft: 44 million Microsoft accounts use leaked passwords

[harlan4096]

Microsoft ran a password-reuse analysis on over three billion company accounts in 2019 to find out how many of the used password were in use by Microsoft customers.

The company collected password hash information from public sources and received additional data from law enforcement agencies, and used the data as a base for the comparison.

An analysis of password use in 2016 revealed that about 20% of Internet users were reusing passwords, and that an additional 27% were using passwords that were "nearly identical" to other account passwords. In 2018, it was revealed that a large part of Internet users were still favoring weak passwords over secure ones.

Companies like Mozilla or Google introduced functionality to improve password use. Google published its Password Checkup extension in February 2019 and started to integrate it in August 2019 natively in the browser. The company launched a new Password Checkup feature for Google Accounts on its site in 2019 as well.

Mozilla integrated Firefox Monitor into the Firefox web browser designed to check for weak passwords and monitor passwords for leaks.

Computer users who use standalone password managers may also be able to check passwords against leak databases; I have published a tutorial on how that is done in the password manager KeePass.

Microsoft has been pushing for password-less logins for a while now, and the company's password reuse study provides a reason why.

According to Microsoft, 44 million Azure AD and Microsoft Services Accounts use passwords that are also found in leaked password databases. That is about 1.5% of all credentials the company checked in its study.

Microsoft cites a study in which password use of nearly 30 million users was analyzed. The conclusion was that password reuse and modifications were common for 52% of users, and that "30% of the modified passwords and all the reused passwords can be cracked within just 10 guesses".

Microsoft will enforce resets of passwords which were leaked. Microsoft account customers will be asked to change the account password. It is unclear how the information will be communicated to affected users or when the passwords will be reset.

IT administrators will be contacted on the Enterprise side.

On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced.

Microsoft recommends that customers enable a form of multi-factor authentication to better protect their accounts against attacks and leaks. According to Microsoft, 99.9% of identity attacks are unsuccessful if multi-factor authentication is used.
...

Continue Reading