<p>Between January and March this year Microsoft&#8217;s threat research team performed a scan on all of the Microsoft account passwords. These passwords were then compared with the database that holds more than three billion leaked credentials.</p>
<p><img class="alignnone wp-image-3464 size-full" title="leaked passwords" src="https://www.wincert.net/wp-content/uploads/2019/12/password-2781614_640.jpg" alt="" width="640" height="448" /></p>
<p>The result was devastating as 44 million account passwords matched the database including regular user accounts, Microsoft services accounts, and even Azure AD accounts.</p>
<p>Microsoft has immediately forced a password reset for accounts they&#8217;ve found a match for. Additionally, for Enterprise environments, Microsoft will elevate the user risk by alerting Administrators to enforce password resets.</p>
<p>Even though Microsoft initiated password resets it won&#8217;t stop users to choose new passwords that have also been exposed as a part of a security breach.</p>
<p>A <a href="https://people.cs.vt.edu/gangwang/pass" target="_blank" rel="noopener noreferrer">research study performed on 28 million user accounts</a> showed that 52% of users tend to reuse passwords or make small modifications to the original password. The same study also showed that 30% of those passwords along with its small modifications could be easily cracked with only 10 attempts.</p>
<p>The company also advises the use of Multi-Factor Authentication or MFA which is a proven security mechanism that can dramatically improve security bearing. According to Microsoft, 99.9% of identity attacks were prevented when the MFA authentication mechanism was used.</p>