By analyzing a database that includes three billion users, Microsoft discovered that tens of millions of already hacked passwords were still used to access its services.
44 million! This is, according to the Microsoft Threat Research Laboratory , the number of users of all of the firm’s services reusing identifiers that have already been hacked in the past. This figure was obtained by processing a database of more than three billion identifiers that have “leaked” on the Internet .
By conducting a comparative analysis with the accounts of its users, the IT giant now knows that tens of millions of its users are still exploiting these already hacked identifiers. Microsoft therefore sent them a message asking them to change their password urgently.
It must be said that if, for most accounts , it is now necessary to use passwords containing, at least a capital letter, special characters and numbers, almost two out of three Internet users systematically use this sesame for practically all their accounts. Under these conditions, it suffices that one of the services used is hacked so that stolen passwords, however strong, can be used by an attacker on all of a user’s accounts.
Do your credentials circulate on the web?
Microsoft’s approach is therefore original since no service seeks to know if the identifiers created for an account have already been hacked before. In use, it is of course difficult to create and remember a sesame by service. Remembering them is almost impossible, given that on a mobile, most applications are permanently connected.
In these conditions, to strengthen security, it is preferable to use password managers which are added to the browser or which are available in the form of an application. This type of software automatically generates and stores unique passwords. LastPass is one of them, for example.
Finally, note that to check if an e-mail address and its identifier are part of a hacked database, it is possible to use a site like Have I Been Pwned?