Skip to main content

Hackers Have Access To 1 in 5 Microsoft Logins

Eric Doerr, Group Program Manager for Microsoft's Account system, said on Sunday that 20-percent of Microsoft Account logins are found on lists of compromised credentials stemming from hack attacks on other services like Yahoo and Facebook. Naturally he slammed the use of providing the same passwords and login details across multiple services, saying that one breached service could mean multiple account hacks.

"These attacks shine a spotlight on the core issue – people reuse passwords between different websites," he said on Sunday. "This highlights the longstanding security advice to use unique passwords, as criminals have become increasingly sophisticated about taking a list of usernames and passwords from one service and then 'replaying' that list against other major account systems. When they find matching passwords they are able to spread their abuse beyond the original account system they attacked."

Doerr said that Microsoft regularly gets notified of lists of compromised external account info (email addresses and/or passwords from other networks) from different sources. These sources can include one of the many worldwide law enforcement agencies, an ISP, and even another company that runs an identity system. They contact Microsoft so that users are informed about a possible account hacking.

"You’d be surprised how often the lists – especially the publicly posted ones – are complete garbage with zero matches," Doerr said. "But sometimes there are hits – on average, we see successful password matches of around 20-percent of matching usernames. A recent one only had 4.5-percent overlap. This is actually exciting because it means that, on average, 80% of our customers are following safe password practices, and this reflects a growing sophistication in our customers."

He said when Microsoft receives a list, the company checks to see if it actually matches any accounts and passwords in the system through an automated hands-off process. Then the company looks to see if there is any evidence of criminal activity like sending spam. If there are signs of criminal activity, then the account is suspended until the owner goes through the recovery process.

"Occasionally we get information about a set of customers, but there isn’t enough account information to identify who has reused passwords and is therefore at risk," he said. "Then we have a judgment call – do we ask 100-percent of those customers to reset their passwords, even though only 20-percent are probably at risk? Or do we leave the 20-percent at risk to avoid inconveniencing the 80-percent?"

Where there is a credible threat, Microsoft would rather inconvenience 100-percent of the customers by resetting all passwords, he said.

Currently the team is working on beefing up security by offering increased password lengths. "Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it's a bigger change than it should be and takes longer to get to market," he added. "It's also worth noting that the vast majority of compromised accounts are through malware and phishing. The small fraction of brute force is primarily common passwords like '123456' not due to a lack of complexity."

To read the full post (including extra explanations in the comments section), head here.

  • A Bad Day
    Reusing passwords, '1234' password.

    The problem often exist between the chair and the keyboard.
    Reply
  • nukemaster
    A Bad DayReusing passwords, '1234' password.The problem often exist between the chair and the keyboard.That's the kind of thing an idiot would have on his luggage! :)
    Reply
  • _Cubase_
    I'm all for being safe, making sure passwords are different across multiple accounts, and using a full ASCII character set (with no dictionary words). But damn, that's a lot of complicated passwords to try and remember!

    Heck, as a result: some of my accounts are so secure, even I can't get into them any more!!
    Reply
  • Camikazi
    _Cubase_I'm all for being safe, making sure passwords are different across multiple accounts, and using a full ASCII character set (with no dictionary words). But damn, that's a lot of complicated passwords to try and remember!Heck, as a result: some of my accounts are so secure, even I can't get into them any more!!Yep that has happened to me too, I made the password so good and so secure that I forgot them and had to reset the password.
    Reply
  • captaincharisma
    A Bad DayReusing passwords, '1234' password.The problem often exist between the chair and the keyboard.
    hey passwords have to be at least 8 characters long these days so it would be "12345678" :)
    Reply
  • tomfreak
    well Cubase, I got a whole list of diff accounts and services with diff long passwords that some of the rarely use login I couldnt remember at all. Good thing is I write all of them in 1 place and keep safe somewhere just for reminder. So unless someonebreak into my house, it is much harder to retrive all my login via online hacking.
    Reply
  • ltdementhial
    My last pasword was mA476FC31q7p8, i often have the same password for several things (MSN, Facebook, Steam, Twitter, xbox live-gfwl, PSN,here and there) but i change them every 2 months even sometimes earlyer (like when psn got hacked, or the steam leaked credit cards) but it works for me i have 6 years with my hotmail and i never been "hacked" with twitter, fb and sites that require registration i never had a problem, fb and twitter the same, only twitter once i became a "bot" by making a retweet but that was easy to fix, xbox live, PSN and steam only if they hack it i change password...i have only changed 3 times my xbox live-gfwl password, and thats because A: i forgot it or B: i feel that change them is better.
    Reply
  • I use a password "manager", like Keypass. (heck, it is keypass, but there are other solutions).

    Use the same password if it doesn't matter, but use a unique password if it does. That means I have about 14 different passwords, which I could never remember. Also remember length is a lot better than different characters. i.e. correcthorsebatterystaple is a lot better than Tr0ub4do&3 (check out xkcd if you don't believe this).

    But with a software like KeyPass, you can generate long random passwords in 1 second and never have to worry about remembering.
    Reply
  • velocityg4
    The main problem with multiple passwords is people can't remember them all or what password goes to which service. I'd imagine a large portion of that 80% of matching usernames with different passwords are because those usernames belong to different people. Since so many just use their name or popular word and just accept a number placed after it. So JSmith12@gmail.com is likely different than JSmith12 at Toms Hardware.

    Password managers have a similar flaw to using the same password for every site. Namely all that needs to be broken is the password for the manager then all are broken. As many use remote servers a hacker just needs to gain access to that server then they have all passwords of all users stored on that server.

    The other weakness never discussed are security questions. This has two fatal flaws. Usually the answer is much weaker than the password (ie Best friend in High School? Joe.). To counteract this my security question answers are as tough as my passwords. The second being that the password can be reset. This means the account is not encrypted by its unique password. While that means you can recover your account. That also means a hacker just needs to gain access to the system for access to thousands or millions of accounts.
    Reply
  • therabiddeer
    A Bad DayReusing passwords, '1234' password.The problem often exist between the chair and the keyboard.That's amazing, I've got the same combination on my luggage!
    Reply