44 million Microsoft users reused the same passwords

44 million reused passwords
Written by Valdis Koks

From January to March 2019, Microsoft experts estimated that about 44 million users of Microsoft and Azure AD services reused the same passwords.

So, analysts compared user credentials with a database of three billion logins and passwords that previously appeared in various data leaks. This huge dump was compiled both from the bases of law enforcement agencies and from publicly accessible databases.

We are forcibly resetting the password for leaked credentials for which we have found a match. No additional consumer action is required. At the corporate level, Microsoft will increase the risks of the user and warn the administrator that it is worth performing a reset of credentials”, – write the experts.

Experts note that according to a study conducted in 2018, almost 52% of the 30 million users reuse the same passwords and their variations. The same study showed that approximately 30% of these slightly changed passwords can be easily cracked with just 10 attempts.

This behavior puts users at risk of being victims of a breach replay attack. Once a threat actor gets hold of spilled credentials or credentials in the wild, they can try to execute a breach replay attack. In this attack, the actor tries out the same credentials on different service accounts to see if there is a match”, — write Microsoft researchers.

Although Microsoft usually warns if a user uses a weak or easily guessed password when setting up an account, unfortunately, these warnings do not apply to password reuse scenarios. The fact is that Microsoft does not have the opportunity to find out if the user used the same password in other places.

Read also: 61% of malicious ads target Windows users

Microsoft also reminds us that it is highly advisable to use multi-factor authentication.

Multi-Factor Authentication (MFA) is an important security mechanism that can dramatically improve your security posture. Our numbers show that 99.9% of identity attacks have been thwarted by turning on MFA”, — remind Microsoft specialists.

Given the frequency of passwords being reused by multiple individuals, it is critical to back your password with some form of strong credential.

About the author

Valdis Koks

Security engineer, reverse engineering and memory forensics

Leave a Comment