Why Microsoft’s hack data means you may need new logins and passwords

If you’ve recently hacked a password, you’re not alone.

The volume of password attacks has increased to an estimated 921 attacks per second. According to the latest Microsoft Digital Defense Report, that’s a 74% increase in one year.

Big tech companies, including Microsoft, would prefer to root out the world of passwords, and they’ve made changes for an online future that’s less reliant on the vulnerable level of security.

Microsoft users can already securely access Windows, Xbox, and Microsoft 365 without using a password through apps like Microsoft Authenticator and technologies like fingerprints or face recognition. But many people still rely on passwords and don’t even use two-factor authentication, which is now considered critical.

“As long as passwords are still part of the equation, they are vulnerable,” wrote Joy Chik, Microsoft’s vice president of identity, in a September 2021 company blog post.

Here are six ways to stay protected.

Change identical usernames and passwords quickly and first for large customers

For convenience, many users use the same username and password across multiple accounts, but it also puts them at significant risk of their information being compromised. Based on a sample of more than 39 million IoT and OT devices, about 20% used identical usernames and passwords, according to the Microsoft report.

If you fall into this category, it’s time to take action. Focus on the biggest risks first — email, finance, healthcare, and social media sites,” said Chris Pierson, founder and CEO of BlackCloak, a cybersecurity company specializing in targeted attacks against employees and to prevent company executives.

Telling a person who has many identical website logins and passwords to change them all at once is akin to advising someone to lose 50 pounds by running 20 miles a day and having a cold one with candy withdrawal, he said. A more manageable starting recommendation would be a daily 15-minute walk around the block and small dietary changes. The same applies to password protection, Pierson said. “Don’t change every single password you have. Focus on the highest risk, most damaging accounts.”

Use a password manager to encrypt your data

To keep track of passwords safely and efficiently, security experts recommend using a secure password manager like 1Password or KeePass. The user only has to remember one long strong password and the manager stores the others in an encrypted format. Password managers can also be used to generate strong, random passwords that are extremely difficult to crack. Although it requires relying on a third-party, password managers generally do a good job of protecting customer data, said Justin Cappos, an associate professor at the NYU Tandon School of Engineering whose focus is cybersecurity and privacy.

Choose strong passwords if you don’t use randomization

While randomly generated passwords are a good practice, not everyone enjoys using them. So at least make sure you’re using credentials that can’t be easily hacked. For example, you could string together four random words like sun, water, computer, and chair for one account and use a different set of four words for another account, said Roy Zur, founder and CEO of cybersecurity training company ThriveDX.

According to a Security.org website that reviews security products, it would take about 23 million years for a computer to use the phrase moneycashcheckbank. In contrast, the password “Jesus” could be cracked instantly, while the same word with a capital “J” could be cracked in about 9 milliseconds, according to the website.

Enable multi-factor authentication

Some services like Apple Pay require this extra layer of security for accounts. Even if a vendor doesn’t require its use, security experts say multi-factor authentication is a valuable security tool that’s underused.

The idea behind multi-factor authentication – which requires two or more pieces of identifying information – is to make it harder for criminals to infiltrate your accounts. Hackers target the weakest link, “and your role isn’t to be the weakest link,” Zur said.

For these purposes, it’s wise to use an app like Google Authenticator or a hardware token like a YubiKey instead of SMS whenever possible, Cappos said. That’s because SMS is vulnerable to SIM swapping and other hacks. “For a motivated hacker, bypassing SMS is not difficult,” he said.

The Google Voice ecommerce scam shows why you should never share a password

This is a problem that comes up all too often, according to the Identity Theft Resource Center’s 2022 Business Impact Report. When asked about the root cause of an account takeover, 45% of businesses said someone clicked on a phishing link or shared account information with someone posing as a friend; 29% said someone shared account credentials with a hacker claiming to be a potential customer, vendor or prospect.

“Passwords are like chewing gum. People shouldn’t share,” Cappos said.

Also, never give out a one-time code—even if scammers make the reason for the disclosure appear legitimate, said Eva Velasquez, president and executive director of the Identity Theft Resource Center.

An increasingly common scam is fraudsters posing as interested buyers on online marketplaces. They instruct a seller to read a one-time code allegedly sent by the buyer, often with the stated purpose of “verifying the seller’s identity and legitimacy,” which lures victims, Velasquez said. In reality, it’s a way for hackers to create a Google Voice account linked to the seller’s phone number. This allows scammers to commit other scams using a Google Voice number that can’t be traced back to them, she said. The scam is so widespread that the ITRC has created an instructional video on how affected consumers can reclaim their number.

Apple or Microsoft contacting you? They probably weren’t

In addition to compromising passwords or other sensitive information by clicking on seemingly legitimate links in their emails, text messages or social media, people also fall for tech support scams based on computer pop-ups or phone calls. Hackers can pretend to be from reputable companies like Apple or Microsoft and offer to help with a security issue they claim to have identified. Consumers are tricked into allowing unhindered access to their computer, giving thieves the opportunity to steal their passwords and other personal information or insist on payment for bogus services, Pierson said.

Remember that reputable companies do not randomly contact consumers and offer their help with computer problems. Pierson said consumers should not engage with anyone who is unfamiliar, particularly if that person’s information cannot be verified by independent and reliable means. “Googling a phone number isn’t something we would recommend either,” he said.

Leave a Reply

Your email address will not be published. Required fields are marked *