Using a common password for various accounts might seem convenient, but it could be a potential threat for other accounts if an attacker breaks into one. With unprotected databases and online services getting breached often, leaked/stolen passwords from data breaches can pose a severe threat if users continue reusing their passwords.
It seems that most of the Microsoft services users also doing the same.
A recent investigation by the Microsoft threat research team revealed that 44 million users were reusing their usernames and passwords. The tech-giant stated it scanned all the company’s user accounts between January 2019, and March 2019.
The scanning was performed on a database of around 3 billion leaked credentials, which was obtained from multiple sources like public databases and law enforcement, Microsoft said.
Risks of Password Reuse
According to Microsoft, 30 percent of reused or modified passwords can be cracked within just 10 guesses. This puts users at risk of a breach replay attack. If attackers get hold of leaked credentials, they can try to execute a breach replay attack by trying the same credentials on different service accounts to break into.
Microsoft urged users to enhance their password hygiene with certain password security mechanisms like Multi-Factor Authentication (MFA). It’s said that around 99.9 percent of breach replay attacks have been prevented by using MFA, according to Microsoft.
Recently, a massive data breach exposed around 773 million email addresses and more than 21 million passwords unprotected online. According to security researcher Troy Hunt, the person behind the breach notification service website Have I Been Pwned, a huge database that includes records from more than 2,000 hacked databases were exposed online.
The breached data, which Troy Hunt dubbed as Collection #1, included almost 773 million (772,904,991) unique email addresses, and 21 million (21,222,975) unique passwords. Sized around 87 GB, the breached records also included 1,160,253,228 unique combinations of breached email addresses and passwords. Hunt stated the data breach is made up of various individual data breaches from thousands of other sources.