Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Microsoft Security IT Technology

44 Million Microsoft Users Reused Passwords in the First Three Months of 2019 (zdnet.com) 34

The Microsoft threat research team scanned all Microsoft user accounts and found that 44 million users were employing usernames and passwords that leaked online following security breaches at other online services. From a report: The scan took place between January and March 2019. Microsoft said it scanned user accounts using a database of over three billion leaked credentials, which it obtained from multiple sources, such as law enforcement and public databases. The scan effectively helped Microsoft identify users who reused the same usernames and passwords across different online accounts. The 44 million total included Microsoft Services Accounts (regular user accounts), but also Azure AD accounts.
This discussion has been archived. No new comments can be posted.

44 Million Microsoft Users Reused Passwords in the First Three Months of 2019

Comments Filter:
  • by Snotnose ( 212196 ) on Thursday December 05, 2019 @06:55PM (#59489570)
    Places like /. get the lowest level. Wanna be Snotnose? My password is easy to crack nowdays.

    Places like my internet company and the library? Second level. You want to pay my bill knock yourself out, I'm not gonna stop you. You might sign me up for stuff I don't want but I'll catch it quickly and then, maybe, I'll change my login/password.

    My bank/TD-AmE-Trade/Shcwab account? Yeah, they all have not only different logins, but the passwords are also never used anywhere else. Keepass is a lifesaver here.
    • I used to be the same, and I do still have some "lowest level" stuff around.

      Then I started getting those emails about visiting a porn site, having my photo taken in compromising positions and by the way, here's your password. I know the emails are all bullshit, but I went around and changed just about all of my passwords, and so now I have really only one level: Dashlane generated (and usually 25 characters at that).

      I did find a few sites that only allowed a certain length of password - or other rules that

    • by AmiMoJo ( 196126 )

      These days there is little excuse for not having decent passwords on every site. All the major web browsers have a strong password generator built in and will remember your passwords for you. You can even sync them up between computers and your phone.

      Of course you can not store the really important ones in the browser if you are worried about Mozilla stealing your bitcoins or something, but that's no excuse for not having a decent Slashdot password.

  • by chrism238 ( 657741 ) on Thursday December 05, 2019 @07:38PM (#59489632)

    "The Microsoft threat research team scanned all Microsoft user accounts..."

    The ability described in just the opening sentence presents the biggest threat.

    • "The Microsoft threat research team scanned all Microsoft user accounts..."

      The ability described in just the opening sentence presents the biggest threat.

      I came here exactly to say the same thing!

    • The article doesn't give details about this scan, but I sincerely hope that the methodology was to take the leaked credentials, hash and salt them, and then compare that result to the already hashed-and-salted passwords that the users had in there accounts.

      Microsoft would have no excuse *at all* to be storing passwords in any other way.

      The article DOES say that MIcrosoft did a forced password reset of all compromised accounts, so problem mitigated for now.

      Incidentally, according to OWASP, the popular notion

      • If they used any other method to do this then MS is even worse than we thought.
    • by Veretax ( 872660 )
      Was I the only one who wondered.... if they meat credential combos, or usernames? Given microsoft sort of requires email for windows, and even skype now.
    • by AmiMoJo ( 196126 )

      That's not a threat. You need to understand how secure password hashing works.

      Instead of storing the password you add a random salt (unique number for each user) and hash it. The hashing function is one way so it can't be decrypted back into the password, the only way to get the password back is to do a dictionary or brute force attack.

      When the user logs in the server adds the salt and creates the hash, and compares that to the stored one. Of course, if someone gets access to the database they can do the sa

  • Microsoft needs a better password system, as the whole "log in to Windows and Xbox with your Microsoft Account login" means we keep the Microsoft Account password something easy to remember and type as we need it to log into Windows everytime our computer turns on or wakes from sleep. I want to just use a password manager and randomized mess for everything, but no, we have to use it to make it all a one sign on. I'm close to saying screw it, make a localized account and changing my Microsoft Account passwor

  • How can they tell the passwords are the same if they use salted and hashed passwords and off course a different hash salt for every system? Because if they don't, they have just informed us that Microsoft systems are by design not secure.
  • When you don't have anything worth stealing, it's easy to get lazy. That's the justification for poor security practices at most user level interfaces. If it's not simple to use, it just gets ignored, at that user's risk. This is where AI has a chance to do things that matter to people (as well as predict hacker behavior) that would make security much more integrated to ordinary life.

There is no opinion so absurd that some philosopher will not express it. -- Marcus Tullius Cicero, "Ad familiares"

Working...