44 Million Microsoft Users Reused Passwords in the First Three Months of 2019

The Microsoft threat research team scanned all Microsoft user accounts and found that 44 million users were employing usernames and passwords that leaked online following security breaches at other online services. From a report: The scan took place between January and March 2019. Microsoft said it scanned user accounts using a database of over three billion leaked credentials, which it obtained from multiple sources, such as law enforcement and public databases. The scan effectively helped Microsoft identify users who reused the same usernames and passwords across different online accounts. The 44 million total included Microsoft Services Accounts (regular user accounts), but also Azure AD accounts.

Re: This just in

[Cmdln Daco]

This just in: Richard Stallman and the original MIT hackers refused to put passwords on their accounts.

Re:

[screwthempaa]

Nice try to deflect, shill.

It is shocking that anyone has a MS user account. Even if someone is clueless enough to use Windows 10, it is not required to make an account. Then again these are Windows users we are talking about.

Re:

[drinkypoo]

Isn't one's Xbox account also a Microsoft account? I deleted mine when I sold my console game collection, including my 360.

Re:

[UnknownSoldier]

Forza Horizon 4.

An absolutely beautiful [youtu.be] game.

An Xbox keeps the spyware Windows 10 off the desktop and yet still allows one to enjoy FH4.

I have 3 levels

[Snotnose]

Places like /. get the lowest level. Wanna be Snotnose? My password is easy to crack nowdays.

Places like my internet company and the library? Second level. You want to pay my bill knock yourself out, I'm not gonna stop you. You might sign me up for stuff I don't want but I'll catch it quickly and then, maybe, I'll change my login/password.

My bank/TD-AmE-Trade/Shcwab account? Yeah, they all have not only different logins, but the passwords are also never used anywhere else. Keepass is a lifesaver here.

Re:

[coofercat]

I used to be the same, and I do still have some "lowest level" stuff around.

Then I started getting those emails about visiting a porn site, having my photo taken in compromising positions and by the way, here's your password. I know the emails are all bullshit, but I went around and changed just about all of my passwords, and so now I have really only one level: Dashlane generated (and usually 25 characters at that).

I did find a few sites that only allowed a certain length of password - or other rules that

Re:

[AmiMoJo]

These days there is little excuse for not having decent passwords on every site. All the major web browsers have a strong password generator built in and will remember your passwords for you. You can even sync them up between computers and your phone.

Of course you can not store the really important ones in the browser if you are worried about Mozilla stealing your bitcoins or something, but that's no excuse for not having a decent Slashdot password.

Re: I have 3 levels

[zlives]

Please dont use browser to store PW,

There are lots of pass managers that are much more secure and just as easy to use
Lastpass, password keeper, 1password ...

Re:

[hvidstue]

What makes the browser a less secure solution to those mentioned?

Ummm, hello?

[chrism238]

"The Microsoft threat research team scanned all Microsoft user accounts..."

The ability described in just the opening sentence presents the biggest threat.

Re:

[NoMoreACs]

"The Microsoft threat research team scanned all Microsoft user accounts..."

The ability described in just the opening sentence presents the biggest threat.

I came here exactly to say the same thing!

Re: Ummm, hello?

[zlives]

They are comparing hashes because ms storeâ(TM)s password as hash...
Well atleast thats how i would do iton local domain.

Re:

[Brain-Fu]

The article doesn't give details about this scan, but I sincerely hope that the methodology was to take the leaked credentials, hash and salt them, and then compare that result to the already hashed-and-salted passwords that the users had in there accounts.

Microsoft would have no excuse *at all* to be storing passwords in any other way.

The article DOES say that MIcrosoft did a forced password reset of all compromised accounts, so problem mitigated for now.

Incidentally, according to OWASP, the popular notion

Re:

[peppepz]

If the passwords were hashed and salted properly, each single comparison would take Microsoft seconds of up-to-date CPU time. How did they manage to compare millions of passwords with billions of other passwords then?

Re:

[tlhIngan]

If the passwords were hashed and salted properly, each single comparison would take Microsoft seconds of up-to-date CPU time. How did they manage to compare millions of passwords with billions of other passwords then?

Easy. You basically take a list of leaked credentials, available everywhere, then run the logins against your database.

So your leaked username and password list would be "johndoe@example.com / password" and your scan would basically try logging in with those credentials. And that's it, unless y

Re:

[peppepz]

Thanks, got it. They're testing against full leaked credentials and not just reused passwords.

Re:

[screwthempaa]

If they used any other method to do this then MS is even worse than we thought.

Re:

[Veretax]

Was I the only one who wondered.... if they meat credential combos, or usernames? Given microsoft sort of requires email for windows, and even skype now.

Re:

[AmiMoJo]

That's not a threat. You need to understand how secure password hashing works.

Instead of storing the password you add a random salt (unique number for each user) and hash it. The hashing function is one way so it can't be decrypted back into the password, the only way to get the password back is to do a dictionary or brute force attack.

When the user logs in the server adds the salt and creates the hash, and compares that to the stored one. Of course, if someone gets access to the database they can do the sa

Re: Ummm, hello?

[zlives]

Most rainbow tables donâ(TM)t contain hashes for above 15 character passwords.
Realistically that should be the minimum password length and more.

Re:

[AmiMoJo]

Rainbow tables don't work with salted hashes. Dictionary attacks or brute force only.

Windows login with MS Account is BAD!

[DeAxes]

Microsoft needs a better password system, as the whole "log in to Windows and Xbox with your Microsoft Account login" means we keep the Microsoft Account password something easy to remember and type as we need it to log into Windows everytime our computer turns on or wakes from sleep. I want to just use a password manager and randomized mess for everything, but no, we have to use it to make it all a one sign on. I'm close to saying screw it, make a localized account and changing my Microsoft Account passwor

How do they know?

[Errol backfiring]

How can they tell the passwords are the same if they use salted and hashed passwords and off course a different hash salt for every system? Because if they don't, they have just informed us that Microsoft systems are by design not secure.

Re:

[Errol backfiring]

Sorry, stupid of me. Ignore post please. The passwords were leaked.

User security is horrible for most

[Raymond Berry]

When you don't have anything worth stealing, it's easy to get lazy. That's the justification for poor security practices at most user level interfaces. If it's not simple to use, it just gets ignored, at that user's risk. This is where AI has a chance to do things that matter to people (as well as predict hacker behavior) that would make security much more integrated to ordinary life.