Recently Microsoft published about how they have found 44 million Microsoft account passwords matching with those with leaked credentials collected through various data breaches in the past. This is a very alarming number of passwords and Microsoft is now forcibly resetting the passwords of those Microsoft accounts having credentials matching with the databases of known data breaches.
Microsoft identity threat research team did not match the plain text passwords because those are not available to Microsoft. Instead, they matched the password hashes with the hashes available in the huge databases of various breaches from multiple sources. If there was a match then it basically means that the password hashes have been leaked by the hackers.
If your Microsoft account has been found among these 44 million, then you might be forced to reset your account passwords. You should remember some points when setting up a new password:
- Do not use the same old password with a little modification. People who try to break into your account using the leaked credentials try to modify the password a little and keep trying. So slightly modifying the password is as bad as not changing the password.
- Do not use a password shorter than 10 characters. The way hackers find your plain-text password is matching the password hash with the a dictionary of generated passwords. If your password length is small, even a typical PC can “guess” your password this way. If you increase the password length, it will take a much longer time to crack your password.
- Make password more complex by adding special characters. Just like longer passwords force the computers to take a longer time to crack them, a more complex password also makes it harder for the computers to guess it. This is because it broadens the character set the computer has to check.
- Use a strong password generator. Instead of thinking of a strong password all by yourself, you can use special programs like SterJo, Dalenryder, IObit Random Password Generator, or web apps like Norton password generator that can generate very strong passwords based on all the known criteria (length, special characters and such).
- Use a password manager. We use so many accounts that it is not practically possible to memorize so many strong passwords. So we often compromise on the password strength and use weaker passwords just so that we can memorize them easily. This is why password managers are so important. When we use password managers, we do not have to memorize all these passwords and store them all in the encrypted databases. This means we can now use as strong a password as we want. There are many password managers that we have reviewed in the past such as YIva, Password Boss, Padlock, Buttercup, Password Gorilla etc.
In addition to using a very strong password using the tips above, you should also enable multi-factor authentication (MFA) which can foil the attempts of anyone breaking into your account even if they know your login credentials. Usually MFA requires you to setup an authentication app on your smartphone that generates time based unique codes that must be entered at login in addition to the usual credentials (username and password). You can begin by enabling two-step verification for Microsoft accounts.