Microsoft's One Trick that Blocks 99.9% of Account Hacks
After analysing more than 300-million unauthorised sign-in attempts every day, Microsoft has revealed the best way to stop account hacks on your email addresses.
Microsoft has revealed the most effective way in which you can assure your email accounts stay secure in the modern era, after analysing the data of more than 300-million fraudulent sign in attempts that take place every single day.
The company says that users that opt-in and utilise multi-factor authentication (MFA) on their accounts will block 99.9% of automated attack attempts on that address. “Based on our studies,” Alex Weinert, group program manager for identity security and protection at Microsoft wrote in a blog post which you can access here, “your account is more than 99.9% less likely to be compromised if you use MFA.”
Dismissing popular notions, Alex Weinert also says that tips like “never use a password that has ever been seen in a breach,” and the go-to “use really long passwords,” aren’t nearly as effective as enabling two-factor authentication.
According to ZDNET, “he [Alex], should know. Weinert was one of the Microsoft engineers who worked to ban passwords that became part of public breach lists from Microsoft’s Account and Azure AD systems back in 2016. As a result of his work, Microsoft users who were using or tried to use a password that was leaked in a previous data breach were told to change their credentials.”
“But Weinert said that despite blocking leaked credentials or simplistic passwords, hackers continued to compromise Microsoft accounts in the following years. He attributed this to the fact that passwords or their complexity don't really matter anymore. Nowadays, hackers have different methods at their disposal to get their hands on users’ credentials, and in most cases, the password doesn’t matter,” Catalin Cimpanu says.
Weinert says that the notion that long passwords will keep your account safe are “inconsistent with our research, and with the reality our team sees as we defend against 100s of millions of password-based attacks every day. Focussing on password rules, rather than things that can really help - like multi-factor authentication, or great threat detection - is just a distraction,” he says.
“To understand why, let’s look at what the major attacks on passwords are and how the password itself factors into the equation for an attacker. Remember that all your attacker cares about is stealing passwords so they, or others, can access accounts. That’s a key difference between hypothetical and practical security - your attacker will only do really wacky, creative stuff you hear about at conferences when there’s no easier way, and the target of the attack justifies the extra effort,” Weinert continued to explain.
Microsoft’s recommendation extends further than just Microsoft applications, and should be utilised on all web-based sign ins, wherever possible. There are exponentially more hosts and sites that have opted to enable multi factor authentication for their sign ins, as they’re extremely effective in curbing the number of successful automated attempts at signing into your email address.
“If the service provider supports multi-factor authentication, Microsoft recommends using it, regardless if it’s something as simple as SMS-based one-time passwords, or advanced biometrics solutions,” Cimpanu writes.