Earlier this year, a Microsoft team scanned all customer accounts and found that 44 million users were employing usernames and passwords that leaked online following security breaches at other online services. Microsoft said it scanned user accounts using a database of over three billion leaked credentials, which it obtained from multiple sources, such as law enforcement and public databases. The 44 million total included Microsoft Services Accounts (regular user accounts), but also Azure AD accounts. "For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side," Microsoft said. Microsoft typically warns against using weak or easy-to-guess passwords when setting up an account, but these warnings don't cover password reuse scenarios. A complex password would pass Microsoft's checks, but Microsoft has no way of knowing if the user has reused that password in other places. The password best practice of using a password manager helps prevent password reuse, making it easy for users to select complex and new passwords for each of their accounts. Members are also encouraged to routinely check to see if their account has potentially been compromised, such as in a data breach incident. One way to do this is vis cybersecurity expert Troy Hunt’s “have i been pwned?” website. Read the articles at ZDNet and HelpNetSecurity.
H2Oex: In Person 1 day event/exercise. Thurs Dec 5th. Washington DC. Join us!