For the first 3 months of 2019, Microsoft’s identity threat research team undertook a fascinating study of password re-use. They scanned the contents of 3 billion leaked or inadvertently disclosed credentials to build a database. Running that against Azure AD and MS Services accounts, they discovered 44 million matches. This shows significant re-use of credentials across multiple accounts — a definite security no-no, according to most experts. MS is in the process of notifying account holders of its findings, so you’ll want to keep your eyes out for an email from them to that effect, or notification of a forced password reset. But here’s the real kicker: they tout Multi-Factor Authentication (MFA) as “an important security mechanism that can dramatically improve your security posture.” That’s why I beg readers heed my warning — namely: MFA offers real security protection: please use it wherever it makes sense.
This tiny infographic offers two major take-aways from the MS password re-use study: 1. Don’t do it; and 2. Use MFA.
Why say: MFA Offers Real Security Protection
Need more ammo to boot yourself in the right direction? In the same study, MS reports further that (bold emphasis added is mine):
Our numbers show that 99.9% of identity attacks have been thwarted by turning on MFA. You can learn about Microsoft Azure MFA here. Microsoft also offers solutions to protect customers from breach replay attacks. This includes capabilities to flag users as high risk and inform the administrator to enforce a password reset.
There are very few quick security fixes that can reduce risk of exposure by 3 orders of magnitude (a factor of 1,000 in other words). MFA is one of those very few. Use it where and when you can. I’ve set it up for my Microsoft Account, Azure AD, various Google services, my bank and brokerage accounts, and more. And guess what? Even though it takes a bit longer to log in when you have to wait for a code delivered to your cellphone, I feel much safer knowing that hackers will have a MUCH harder time getting into any of those accounts. You should do likewise ASAP.
[Note: here’s a shout-out to Forbes magazine, whose December 6 story “Microsoft Security: Password Problem Affecting 44 Million Users Revealed” not only turned me onto this topic, but also provided a link to the actual Microsoft study. I’m always amazed at the many reports of findings, news, survey results, and more online that fail to cite original sources. Forbes is always good about providing proper attribution, as a magazine with good journalistic standards and practices should be. Thanks!]