Microsoft has reiterated that passwords are no longer a viable security method and multi-factor authentication (MFA) is better. In a blog, the company says users who enable MFA on their accounts will be protected from 99.9% of automated attacks.
This is not just Microsoft talking up its own account protection. In fact, the company says the 99.9% blocking ability will work on any website or service where multi-factor authentication is supported.
So, the message from Microsoft is clear: If MFA is available, use it. This could be advanced biometrics like eye or fingerprint sensors, added security questions, SMS-based one-time code passwords, and more.
“Your password doesn't matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA,” said Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft.
Moving Away from Passwords
Microsoft has doubled down on its password-less future. In a recent Windows 10 20H1 preview build, the company introduced passwordless settings. Insiders can head to Settings > Accounts > Sign-in to see the new options, which allows users to switch Microsoft Account logins to Fingerprint, PIN only, or Windows Hello Face recognition.
Weinert says passwords are no longer viable protection, no matter how they are used. Even advising users to “never use a password that has ever been seen in a breach” or “use really long passwords” does not really prevent attack these days.
Weinert was part of the Microsoft team that handled password bans following a Microsoft Account and Azure AD breach in 2016. Following this breach, Microsoft Account holders trying to use a password from before the attack were told to change their credentials. However, Weinert says even this mitigation didn't prevent hackers compromising accounts.
Password Breach Methods
He says this is because passwords don't act as a blocker anymore, no matter how complicated they are. Weinert points to the following practices used by hackers to bypass passwords:
| Attack | Also known as . . . | Frequency | Difficulty: Mechanism | User assists attacker by . . . | Does your password matter? |
| Credential Stuffing | Breach replay, list cleaning | Very high – 20+M accounts probed daily in MSFT ID systems | Very easy: Purchase creds gathered from breached sites with bad data at rest policies, test for matches on other systems. List cleaning tools are readily available. | Being human. Passwords are hard to think up. 62% of users admit reuse. | No – attacker has exact password. |
| Phishing | Man-in-the-middle, credential interception | Very high. 0.5% of all inbound mails. | Easy: Send emails that promise entertainment or threaten, and link user to doppelganger site for sign-in. Capture creds. Use Modlishka or similar tools to make this very easy. | Being human. People are curious or worried and ignore warning signs. | No – user gives the password to the attacker |
| Keystroke logging | Malware, sniffing | Low. | Medium: Malware records and transmits usernames and passwords entered, but usually everything else too, so attackers have to parse things. | Clicking links, running as administrator, not scanning for malware. | No – malware intercepts exactly what is typed. |
| Local discovery | Dumpster diving, physical recon, network scanning. | Low. | Difficult: Search user's office or journal for written passwords. Scan network for open shares. Scan for creds in code or maintenance scripts. | Writing passwords down (driven by complexity or lack of SSO); using passwords for non-attended accounts | No – exact password discovered. |
| Extortion | Blackmail, Insider threat | Very low. Cool in movies though. | Difficult: Threaten to harm or embarrass human account holder if credentials aren't provided. | Being human. | No – exact password disclosed |
| Password spray | Guessing, hammering, low-and-slow | Very high – accounts for at least 16% of attacks. Sometimes 100s of thousands broken per day. Millions probed daily. | Trivial: Use easily acquired user lists, attempt the same password over a very large number of usernames. Regulate speed and distributed across many IPs to avoid detection. Tools are readily and cheaply available. See below. | Being human.
Using common passwords such as qwerty123 or Summer2018! |
No, unless it is in the handful of top passwords attackers are trying. |
| Brute force | Database extraction, cracking | Very low. | Varies: Penetrate network to extract files. Can be easy if target organization is weakly defended (e.g. password only admin accounts), more difficult if appropriate defenses of database, including physical and operation security, are in place. Perform hash cracking on password. Difficulty varies with encryption used. See below. | None. | No, unless you are using an unusable password (and therefore, a password manager) or a really creative passphrase. See below. |
