In spite of many, many public warnings, users of Windows and Microsoft’s various cloud-based services appear to still be committing the cyber sin of password reuse. The company released a report indicating that 44 million of their users had the same password for different accounts, based on a comparison of the company’s user accounts to credentials leaked in various data breaches.
A threat to Microsoft customers?
This data does not represent a new threat to those with a Microsoft account. The company compared its internal data to some three billion records leaked in data breaches that occurred at other companies prior to 2019. The records were drawn from both law enforcement and public databases. The company scanned its Microsoft Services accounts, the standard account created to access various company online services such as Office 365 and the Microsoft Store, as well as the accounts of Azure Active Directory customers.
In response to the findings, Microsoft is forcing password resets for affected accounts and will also elevate the user risk to alert administrators that oversee these accounts. Users that have not been notified by Microsoft are advised that no additional action is required. Though no action is required on the consumer end, this might nevertheless be a useful prompt to check for password reuse among one’s collection of online accounts.
The company suggests that all users implement multi-factor authentication (MFA) login methods. Microsoft claims that enabling MFA stops 99.9% of attempted attacks on their services, and that successful breaches of MFA-protected accounts are so rare that the company does not even keep statistics on them.
Password reuse is not just a Microsoft problem
Microsoft’s findings are in keeping with other recent studies that indicate password reuse is still a common problem.
An early 2019 study by Yubico and the Ponemon Institute found that at least half of all internet users can be expected to reuse passwords at some point, including 57% that continued with their password reuse even after being phished.
Google polling conducted earlier in the year found that 69% of adult internet users in the United States rated themselves “very highly” in terms of security practices, yet 65% admitted to password reuse.
A quick survey of similar research done in 2017 and 2018 by organizations such as LastPass and Keeper Security indicates that from about half to two-thirds of all end users can be expected to reuse passwords for multiple accounts, in spite of frequent warnings from tech companies and media.
The leading causes continue to be convenience and “password fatigue,” as end users juggle a collection of unique logins that never seems to stop growing. In business settings, simple shared passwords are often used to give multiple employees access to certain resources.
Javvad Malik, Security Awareness Advocate for KnowBe4, commented on the need for raised awareness of MFA and password managers as tools to combat these common issues:
“When we look at the sheer number of different services and apps that people use and require signing up for, it is little surprise that people reuse credentials. It’s why it is so important to educate and raise awareness among users as to the dangers of reusing credentials and how it can lead to account takeovers. Once people understand the risks, they can then make informed decisions to better protect themselves though means such as enabling MFA where available, and using a password manager to choose stronger and unique passwords for each site they register for.”
Some password managers provide the added benefit of performing regular scans similar to the one Microsoft did for this report, comparing their user databases to lists of known breached credentials. If your account information or password is found on one of these lists, you’ll automatically receive a warning about password reuse.
Additionally, there is an extension for Google Chrome (called Password Checkup) that automatically checks usernames and passwords against lists of known breached credentials. There are plans to integrate this feature into the core functionality of Chrome 79, which is expected to be released in mid-January.
Breach replays and credential stuffing
Microsoft refers to the re-use of leaked credentials with other services as a “breach replay” attack, in which the hacker simply tries out login/password combinations at other services to see if there is password reuse to exploit.
Some people errantly believe that there is little chance that they will be picked out of a list of millions of breached credentials and targeted. Cyber criminals most often use these lists of breached logins indiscriminately in a “credential stuffing” attack. Automated tools are used to simply try out the username and password combinations with various other sites and services, sometimes trying slight variations of the breached password before moving on.
The amount of leaked login information available for credential stuffing attacks is staggering, and the pile is only going to get bigger with time. As 2019 comes to a close, over 10 billion data records have been leaked this year alone. Even the biggest tech companies are still having issues with breaches that expose plain text passwords – Facebook had an issue with hundreds of millions of user passwords being exposed to thousands of their employees, and Google’s G Suite was found to have been improperly storing certain passwords since the service launched in 2006.
Hackers and criminals are actively compiling these lists of breached credentials into massive “combo lists”, which are traded via underground forums. The biggest public example is the “Collection” series, lists that each contain tens of millions of breached email and password combinations. The information that is available to the public likely only scratches the surface of available breached logins, as attackers often keep this information to themselves or distribute it only to a few select clients.
In terms of personal protection against compromise due to password reuse, Lamar Bailey, senior director of security research at Tripwire, provided the following comments:
“It’s good practice to ensure individuals have different passwords for different accounts, and these passwords should be passphrases that are not easy to guess. By educating the workforce about the basics of security, like not reusing passwords for numerous accounts or not clicking on malicious emails, links or attachments, will naturally reduce the threat of an attack. People are unfortunately the weak link in the security pyramid with hackers preying on this naivety and this needs to change. “It is now critical that users check for compromised passwords and usernames on a regular basis. Many password vaults like Lasspass and Dashlane will do this automatically for you or you can use a service like https://haveibeenpwned.com/. If an account has been compromised make sure to change that password. If you are following best practices and not reusing passwords you limit the exposure greatly. Password vaults have tools to create secure unique passwords for sites so reuse should be a thing of the past.”
At an organizational level, actively checking passwords against breach lists prior to implementation can do a great deal to prevent future exposure. Strong password policies also help to at least protect the organization from a user whose password may have been leaked from another service, as some of the studies referenced earlier show there is a good deal of overlap between password reuse and the use of overly simple credentials. It is always wise to force a password reset after breached credentials are found, but forced resets every certain number of weeks or months may actually cause users to rely on weaker passwords.