Microsoft performed a threat assessment of their services and the users between January and March of this year and the results are shocking. According to the Microsoft threat research team, millions of users are reusing their passwords on Microsoft’s services.
As a part of the threat assessment, Microsoft checked over 3 billion credentials, out of which 44 million Microsoft services and Azure AD accounts matched indicating that the aforementioned accounts were reusing credentials. Microsoft also noted that out of the 3 billion credentials, many were leaked online and the company forced a password reset to ensure the accounts aren’t abused.
Furthermore, Microsoft said that 30% of the reused or modified passwords can be cracked within just 10 guesses. This triggers a breach replay attack wherein an attacker gains access to a set of credentials and uses similar credentials to break into other accounts as well.
The company urged users to improve their password hygiene and use F2A as 99% of the attacks can be prevented by using Multi-Factor Authentication. Moreover, it’s always recommended to use unique passwords and even unique usernames when possible to make it hard for the attacker to guess and gain access.