Microsoft conducted password reuse analysis on more than 3 billion corporate accounts in 2019 to find out how many passwords Microsoft customers are using. The company collected password hash information from public sources and received additional data from law enforcement agencies and used it as a basis for comparison.
The data showed that a 2016 analysis of password usage showed that about 20 percent of Internet users were using passwords, and another 27 percent used passwords “almost identical” to other account passwords. In 2018, a large proportion of Internet users still prefer weak passwords to secure passwords.
In fact, companies like Mozilla or Google have introduced features that improve password usage. Google released its password check extension in February 2019 and will begin integrating it locally into its browser in August 2019. The company also introduced a new password check for Google Accounts on its website in 2019.
Mozilla, on the other hand, integrates Firefox Monitor into the Firefox Web Browser, which is designed to check for weak passwords and monitor for leaks. In addition, computer users who use a separate password manager can check passwords against a leaked database.
It is understood that in terms of promoting passwordless logins, Microsoft has been pushing for some time.
According to Microsoft, 44 million Azure AD and Microsoft Services accounts use passwords that can also be found in a compromised password database. This is about 1.5% of all the credentials the company examined in the study.
Microsoft cites a study that analyzed password usage for nearly 30 million users. The conclusion is that password reuse and modification are common among 52% of users, and that “30% of the modified password sands and all reused passwords can be cracked within 10 guesses”.
Therefore, Microsoft will force the reset of the compromised password. Microsoft account customers will be asked to change their account password, although it is not clear how the information will be communicated to affected users or when the password will be reset.
On the enterprise side, Microsoft will increase user risk and warn administrators so that credential resets can be enforced.
Microsoft recommends that customers enable a form of multifactor authentication to better protect their accounts from attacks and leaks. According to Microsoft, 99.9% of identity attacks are not successful if multifactor authentication is used.