Between January and March this year Microsoft’s threat research team performed a scan on all of the Microsoft account passwords. These passwords were then compared with the database that holds more than three billion leaked credentials.
The result was devastating as 44 million account passwords matched the database including regular user accounts, Microsoft services accounts, and even Azure AD accounts.
Microsoft has immediately forced a password reset for accounts they’ve found a match for. Additionally, for Enterprise environments, Microsoft will elevate the user risk by alerting Administrators to enforce password resets.
Even though Microsoft initiated password resets it won’t stop users to choose new passwords that have also been exposed as a part of a security breach.
A research study performed on 28 million user accounts showed that 52% of users tend to reuse passwords or make small modifications to the original password. The same study also showed that 30% of those passwords along with its small modifications could be easily cracked with only 10 attempts.
The company also advises the use of Multi-Factor Authentication or MFA which is a proven security mechanism that can dramatically improve security bearing. According to Microsoft, 99.9% of identity attacks were prevented when the MFA authentication mechanism was used.