Eric Doerr, Group Program Manager for Microsoft's Account system, said on Sunday that 20-percent of Microsoft Account logins are found on lists of compromised credentials stemming from hack attacks on other services like Yahoo and Facebook. Naturally he slammed the use of providing the same passwords and login details across multiple services, saying that one breached service could mean multiple account hacks.
"These attacks shine a spotlight on the core issue – people reuse passwords between different websites," he said on Sunday. "This highlights the longstanding security advice to use unique passwords, as criminals have become increasingly sophisticated about taking a list of usernames and passwords from one service and then 'replaying' that list against other major account systems. When they find matching passwords they are able to spread their abuse beyond the original account system they attacked."
Doerr said that Microsoft regularly gets notified of lists of compromised external account info (email addresses and/or passwords from other networks) from different sources. These sources can include one of the many worldwide law enforcement agencies, an ISP, and even another company that runs an identity system. They contact Microsoft so that users are informed about a possible account hacking.
"You’d be surprised how often the lists – especially the publicly posted ones – are complete garbage with zero matches," Doerr said. "But sometimes there are hits – on average, we see successful password matches of around 20-percent of matching usernames. A recent one only had 4.5-percent overlap. This is actually exciting because it means that, on average, 80% of our customers are following safe password practices, and this reflects a growing sophistication in our customers."
He said when Microsoft receives a list, the company checks to see if it actually matches any accounts and passwords in the system through an automated hands-off process. Then the company looks to see if there is any evidence of criminal activity like sending spam. If there are signs of criminal activity, then the account is suspended until the owner goes through the recovery process.
"Occasionally we get information about a set of customers, but there isn’t enough account information to identify who has reused passwords and is therefore at risk," he said. "Then we have a judgment call – do we ask 100-percent of those customers to reset their passwords, even though only 20-percent are probably at risk? Or do we leave the 20-percent at risk to avoid inconveniencing the 80-percent?"
Where there is a credible threat, Microsoft would rather inconvenience 100-percent of the customers by resetting all passwords, he said.
Currently the team is working on beefing up security by offering increased password lengths. "Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it's a bigger change than it should be and takes longer to get to market," he added. "It's also worth noting that the vast majority of compromised accounts are through malware and phishing. The small fraction of brute force is primarily common passwords like '123456' not due to a lack of complexity."
To read the full post (including extra explanations in the comments section), head here.