44 Million Microsoft accounts using stolen passwords

Best Practices for Password Protection

Microsofts Identity Threat Research Team [recently revealed] that 44 million user accounts are using passwords that have been previously stolen and leaked. How does this happen? People re-use the same password across multiple accounts. This eye-popping statistic highlights the fact that password re-use is a real and ever-increasing risk to organizations.

Though we shouldn’t be too surprised, people have more passwords than ever, which compounds the problem that people are generally terrible at passwords. So people take shortcuts, including easy to guess patterns and to reuse the same password. Then those passwords and techniques are exposed through the common occurrences of password breaches.

“99.9% of identity attacks have been thwarted by turning on MFA.”

Consider the impact on your company if the user uses the same password for a social media site that gets breached as they do to your domain, financial applications, or EMR. Also, a targeted attacker can use these compromised databases as a way to narrow their attack on an employee that is found to have a credential already leaked.

So what can you do to protect your users and organization?

1. Enable Multi-Factor Authentication (MFA) – We cannot emphasize the importance of MFA enough. Put you could print your password on a billboard and an attacker still can’t access your account unless they steal or compromise your phone. Microsoft says that “99.9% of identity attacks have been thwarted by turning on MFA”. 99.9%!! You won’t see results like that from any other security initiative. Turn it for email, VPN, and all external services. Encourage users to secure their accounts as well. (Authy provides [excellent guides](https://authy.com/guides/) for securing personal accounts ).

2. Monitor Data Breaches – You should be monitoring data breaches to discover when work email addresses have detected a breach. This gives you an insight into some of the at-risk users and also awareness of new breaches. Encourage users to monitor personal email addresses through a service like [HaveIbeenPwned](https://haveibeenpwned.com/).

3. Use a Password Manager – The fact is humans are quite terrible at managing multiple strong passwords. Adopt an organization-wide Password Management solution. This allows you to set standards, run security checks, and manage sensitive passwords, all while freeing users from having to remember numerous passwords. Look for a solution that will allow a separate area for people to save personal passwords as well.

Depending on your organization’s threat model, you may need to investigate more advanced identity management solutions. Every organization should adopt the recommendations above, and by doing so will dramatically reduce the risk of an incident or breach due to poor password practices.

Keith Crawford

Keith Crawford is a Sr. Cybersecurity Consultant at Edafio. He specializes in Risk Management, Security Program Development, Operational Compliance, and Strategic Initiatives. Keith currently serves as a CISO for clients as well as developing Edafio's Cybersecurity Services. According to his daughter, he has meetings for a living, which isn't far from the truth. Before Edafio, Keith has served clients for almost 15 years, first as a Network Engineer, and most recently Director of Client Strategy. Keith believes in the power of security and compliance to help an organization mature, transform, and thrive. His mission is assisting clients in catching that vision and executing on it. Keith is a frequent speaker and panel member at community events and conferences. Outside of work, he is a passionate Disaster Relief volunteer and an active member of his local church. He is blessed with great kids, an amazing wife, and an ok dog.