Jump to content

Microsoft: 44 million Microsoft accounts use leaked passwords


Recommended Posts

Microsoft: 44 million Microsoft accounts use leaked passwords

Microsoft ran a password-reuse analysis on over three billion company accounts in 2019 to find out how many of the used password were in use by Microsoft customers.


The company collected password hash information from public sources and received additional data from law enforcement agencies, and used the data as a base for the comparison.


An analysis of password use in 2016 revealed that about 20% of Internet users were reusing passwords, and that an additional 27% were using passwords that were "nearly identical" to other account passwords. In 2018, it was revealed that a large part of Internet users were still favoring weak passwords over secure ones.


microsoft leaked passwords


Companies like Mozilla or Google introduced functionality to improve password use. Google published its Password Checkup extension in February 2019 and started to integrate it in August 2019 natively in the browser. The company launched a new Password Checkup feature for Google Accounts on its site in 2019 as well.


Mozilla integrated Firefox Monitor into the Firefox web browser designed to check for weak passwords and monitor passwords for leaks.


Computer users who use standalone password managers may also be able to check passwords against leak databases; I have published a tutorial on how that is done in the password manager KeePass.


Microsoft has been pushing for password-less logins for a while now, and the company's password reuse study provides a reason why.


According to Microsoft, 44 million Azure AD and Microsoft Services Accounts use passwords that are also found in leaked password databases. That is about 1.5% of all credentials the company checked in its study.


Microsoft cites a study in which password use of nearly 30 million users was analyzed. The conclusion was that password reuse and modifications were common for 52% of users, and that "30% of the modified passwords and all the reused passwords can be cracked within just 10 guesses".


Microsoft will enforce resets of passwords which were leaked. Microsoft account customers will be asked to change the account password. It is unclear how the information will be communicated to affected users or when the passwords will be reset.


IT administrators will be contacted on the Enterprise side.

On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced.

Microsoft recommends that customers enable a form of multi-factor authentication to better protect their accounts against attacks and leaks. According to Microsoft, 99.9% of identity attacks are unsuccessful if multi-factor authentication is used.

Closing Words

It is surprising that only 1.5% of all analyzed credentials were found in leaks; the study that Microsoft linked to saw password reuse and password modifications in over 50% of all analyzed passwords.



Source: Microsoft: 44 million Microsoft accounts use leaked passwords (gHacks - Martin Brinkmann)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...