Microsoft’s threat research team has scanned all Microsoft user accounts and found that 44 million were using usernames and passwords that have been leaked online following security breaches at other online services.
Microsoft: 44 million Microsoft accounts use leaked passwords https://t.co/LvmbOKb3nd pic.twitter.com/cPFdVloAuz
— Jorgen Hauge (@Jorgenhauge) December 6, 2019
6 Responses
Password reuse is a massive problem and this scan only highlights the severity of the situation. Whether knowingly or unknowingly, people are using compromised credentials to access sensitive personal and corporate data, putting organisations and individuals at risk of disastrous attacks from bad actors. Multi-Factor Authentication is no longer just security best practice, but a core necessity to corporate and personal applications alike. Wherever possible, stronger forms of Multi-Factor Authentication should be used, such as WebAuthn with on-device biometrics.
Password reuse and single factor authentication is one of the largest cybersecurity issues we face today. Frustratingly no matter how easy password managers make storing and using complex passwords for online services, or the option to add a second authentication mechanism – such as an SMS code sent to a mobile device, adoption is still woefully low.
As individuals, we need to change our mindset when securing any online account, employing the same level of protection we adopt for securing our financial accounts. This means moving away from not just the reuse of passwords, but also making them stronger, particularly for accounts where we’re sharing sensitive details or personal information, and always use a second factor if available.
In today’s cybersecurity landscape, it couldn’t be truer to say that passwords are the weakest link. We need to create several versions of them, make them hard to guess and commit them to memory. Therefore, it comes as no surprise that password reuse is so rampant.
Two-Factor authentication can help tackle the risk posed by password reuse. However, organisations and users should explore alternatives to the traditional text password, such as, persona-based authentication, which relies on a combination of ‘geographical’ and behavioural elements to determine identity or a trust score system that allows users to sign in and unlock devices through a trust score that is calculated using several behavioural factors such as location, facial recognition and typing pattern. While it\’s true passwords aren\’t going anywhere soon, there are ways that they can be strengthened to keep users and their data safe and these options should be deployed going into 2020 and beyond.
Why do people reuse passwords? Because they have way too many to remember. Work passwords, utilities, banking, laptop account logins etc etc. How can an average person remember so many? Furthermore, a regular user does not use a password vault or storage solution, regardless of the recommendations.
The rub with password reuse across many services is that if one service is breached, the disclosed password is often used in credential stuffing attacks that try to access other services and websites. This type attack is becoming more and more common, and it bets on the widespread habit of users reusing their passwords.
Solutions such as multi-factor authentication help solve the password reuse issue, as they also require a one time password at time of login which changes every time.
When we look at the sheer number of different services and apps that people use and require signing up for, it is little surprise that people reuse credentials. It\’s why it is so important to educate and raise awareness among users as to the dangers of reusing credentials and how it can lead to account takeovers. Once people understand the risks, they can then make informed decisions to better protect themselves though means such as enabling MFA where available, and using a password manager to choose stronger and unique passwords for each site they register for.
As with the recent HackerOne incident, humans remain the weakest link in every organization. Microsoft’s campaign to augment account security serves as a great example to other vendors. In light of billions of valid passwords being sold on the Dark Web, password reuse attacks are super-efficient today. Worse, even the largest technology companies are often toothless to protect their customers from such attacks, as the exploitation happens in the area beyond their observation and control.
Two (2FA) and Multi Factor Authentication (MFA) can considerably reduce those risks, however, most of the users regard these as irritating inconveniences and would rather deactivate them whenever possible. Moreover, sophisticated phishing attacks enhanced with social engineering may defeat these security mechanisms. Continuous security monitoring for anomalies is a formidable weapon in detecting account compromise in a timely manner but, given that a considerable number of users are logging in from different time zones and IP addresses, it\’s no silver bullet.