From January to March 2019, Microsoft experts studied the situation and countedthat about 44 million users of Microsoft and Azure AD services reused the same passwords.
So, analysts compared user credentials with a database of three billion logins and passwords that previously appeared in various data leaks. This huge dump was compiled both from the bases of law enforcement agencies and from publicly accessible databases.
“We are forcibly resetting the password for leaked credentials for which we have found a match. No additional consumer action is required. At the corporate level, Microsoft will increase the risks of the user and warn the administrator that it is worth performing a reset of credentials, ”experts write.
Experts note that according to researchConducted in 2018, almost 52% of the 30 million users reuse the same passwords and their variations. The same study showed that approximately 30% of these slightly changed passwords can be easily cracked with just 10 attempts.
Although Microsoft usually warns if a user uses a weak or easily guessed password when setting up an account, unfortunately, these warnings do not apply to password reuse scenarios. The fact is that Microsoft does not have the opportunity to find out if the user used the same password in other places.
Microsoft also reminds that it is highly desirable to use multi-factor authentication, because, according to the company, this allows you to protect yourself from 99.9% of attacks.