Microsoft conducted password reuse analysis on more than 3 billion company accounts in 2019 to find out how many passwords Microsoft customers use. The company collects password hash information from public sources and obtains additional data from law enforcement agencies and uses it as a basis for comparison.
Analysis of password usage in 2016 shows that about 20 percent of Internet users reuse passwords, and another 27 percent use passwords that are almost identical to those of other accounts. The 2018 study found that most Internet users still prefer weak passwords to secure passwords.
Companies like Mozilla or Google have introduced features that improve password usage. Google released its password check extension in February 2019 and will begin integrating it locally into its browser in August 2019. The company also introduced a new password check for Google accounts on its website in 2019. Mozilla integrates Firefox Monitor into the Firefox browser, which is designed to check for weak passwords and monitor whether they have been compromised.
Microsoft has been pushing for password-free logins for some time, and the company’s password reuse study offers a reason. According to Microsoft, 44 million Azure AD and Microsoft service accounts use passwords that can also be found in the compromised password database. That’s about 1.5 percent of all the documents the company examined in the study.
Microsoft will now force the reset of the compromised password. Microsoft users will be asked to change their account password. It is not clear how the information will be communicated to affected users or when the password will be reset. On the enterprise side, Microsoft will increase user risk and warn administrators so that credential resets can be enforced. Microsoft recommends that customers enable a form of multifactor authentication to better protect their accounts from attacks and leaks. According to Microsoft, 99.9% of identity attacks will not succeed if multifactor authentication is used.