After analyzing a database containing 3 billion leaked credentials from security breaches, the Microsoft threat research team determined more than 44 million user accounts had a serious security problem. Here’s what you need to know.
The Microsoft threat research team password analysis
The Microsoft threat research team analyzed billions of login credentials that had been leaked following security breaches. These came from multiple sources, including law enforcement and publicly accessible databases, according to Microsoft.
Considering that data breaches are known to have exposed 4.1 billion records in the first six months of 2019 alone, there’s obviously plenty of this kind of credential data floating around, and plenty that is traded across dark web markets. Security researchers analyze this breach data, and by so doing, it’s possible to get an idea of the most commonly reused and therefore insecure passwords. The Microsoft identity threat research team was also looking for these compromised credentials to cross-check against the Microsoft user eco-system.
Across just the first three months of 2019, Microsoft found some 44 million accounts that were reusing passwords found within those breached credentials databases. You might think that 44 million reused passwords, out of more than 3 billion breached credentials, isn’t too bad a percentage. Unless you are one of those Azure AD or Microsoft Account holders with the password problem, of course.
What is password reuse, and why is it a security problem?
Don’t think you are safe just because you don’t use any of the headline passwords mentioned in the “most reused passwords” lists that regularly appear online, as threat actors use a variety of techniques to reveal login credentials. If one of your passwords turns up in a breached database and you use it to access your email account, for example, it’s often game over as far as your security is concerned.
The Microsoft Security Intelligence Report looked at identity-based threats and warned about just this risk from what it calls breach replay attacks. “Once a threat actor gets hold of spilled credentials or credentials in the wild,” the report states, “they can try to execute a breach replay attack. In this attack, the actor tries out the same credentials on different service accounts to see if there is a match.” This type attack is becoming more and more common, according to Eoin Keary, CEO at edgescan, who said, “it bets on the widespread habit of users reusing their passwords.”
Mitigating the Microsoft password reuse risk
As far as the leaked credentials that the threat research team found during this analysis are concerned, Microsoft has confirmed that consumers need to take “no additional action,” as it has already forced a password reset. This will come as a great relief to those worried about their Office, OneDrive, or Xbox services. The situation is less straightforward for business users. Microsoft stated that it would “elevate the user risk and alert the administrator,” for enterprise accounts, with the administrator then having to ensure a credential reset is enforced. The reused credentials statistics were not broken down into consumer and enterprise accounts, so it’s not clear as to how many businesses could be impacted by this.
“As with the recent HackerOne incident, humans remain the weakest link in every organization,” Ilia Kolochenko, CEO of ImmuniWeb, said, “Microsoft’s campaign to augment account security serves as a great example to other vendors.”
More password security advice for Microsoft users
The Microsoft report goes on to say that it’s “critical to back your password with some form of strong credential,” and suggests that Multi-Factor Authentication (MFA) is a recommended mechanism to achieve this. “Our numbers show that 99.9% of identity attacks have been thwarted by turning on MFA,” the report stated. Unfortunately, as Kolochenko said, while “Two (2FA) and Multi-Factor Authentication (MFA) can considerably reduce those risks, most users regard these as irritating inconveniences and would rather deactivate them whenever possible.”
Gavin Millard, vice-president of intelligence at Tenable, said that “as individuals, we need to change our mindset when securing any online account, employing the same level of protection we adopt for securing our financial accounts.” What this means is that people must move away from not just the reuse of passwords, but should also make them stronger, “particularly for accounts where we’re sharing sensitive details or personal information,” Millard concludes.
For the average consumer and smaller businesses, I always suggest that password managers are the baseline security measures that should be in place. Not only do these make it easy to use a secure, random and complex password for every account and site you use, but most have password auditing functionality for good measure. Google has a password checkup function that works with the Google account password manager for example and checks for reuse against a database of 4 billion leaked credentials, and Firefox has also added a compromised password warning feature.
You shouldn’t be put off by the occasional warning regarding password manager vulnerabilities, not only are these relatively rare and dealt with quickly but most people will significantly strengthen their security posture by using one.
Updated December 6: This article was updated with additional comments by security experts