Breach, Data Security, Identity

Same story all over again: Microsoft research finds millions of reused passwords


The loud pleas made by the cybersecurity industry, along with the repeated examples of what happens when login credentials are reused, seemingly have fallen on deaf ears as Microsoft found more than 44 million repeated passwords just for its Azure AD and Microsoft Services Accounts.

According to a newly published Microsoft Security Intelligence Report, the company's threat team checked more than 3 billion credentials and found a match for over 44 million Azure AD and Microsoft Services Accounts for the first quarter of 2019.

The credentials that were checked came from various data breaches and multiple sources, including law enforcement and public databases, and then were checked against credentials found in Microsoft systems to look for those that had been compromised.

Microsoft forced a reset to help those individuals whose reused logins were found. On the enterprise side, the company will elevate the user risk and alert the administrator so that a credential reset can be enforced.

The fact that so many people opt to use a basic set of login credentials is not surprising to KnowBe4 Security Awareness Advocate Javvad Malik, who said it’s simply a matter of being overwhelmed, plus a lack of education on the importance of having a strong sign-in strategy.

"When we look at the sheer number of different services and apps that people use and require signing up for, it is little surprise that people reuse credentials. Once people understand the risks, they can then make informed decisions to better protect themselves though means such as enabling MFA where available and using a password manager to choose stronger and unique passwords for each site they register for,” he said.

Using MFA is particularly effective. “Our numbers show that 99.9 percent of identity attacks have been thwarted by turning on MFA,” the report said.

However, despite the almost silver bullet lethality of MFA for several reasons it still struggles to find acceptance in the market.

"While MFA is one of the most cost effective ways to combat password reuse, user adoption has been slow. Productivity is key to any successful company and there’s a perception that MFA interrupts the end-user experience, slowing down business results. Hopefully this report from Microsoft’s threat research team will be the wake-up call that organizations need to take passwords out of the equation," said Martín Gallo, director of strategic research at SecureAuth.

End users also now have several tools they can use to see if any of their passwords have been compromised, noted Lamar Bailey, senior director of security research at Tripwire.

“It is now critical that users check for compromised passwords and usernames on a regular basis. Many password vaults like Lasspass and Dashlane will do this automatically for you or you can use a service like If an account has been compromised make sure to change that password. If you are following best practices and not reusing passwords, you limit the exposure greatly.  Password vaults have tools to create secure unique passwords for sites so reuse should be a thing of the past,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.