Microsoft recently announced that the usernames and passwords of 44 million Microsoft accounts are freely available online.
While this sounds like a public relations disaster, these credentials weren’t leaked by Microsoft – they were stolen from third parties.
When a hacker gains access to a username or password that’s reused across multiple accounts, they automatically gain access to all of those accounts. If one of your employees reuses their login details, then a data breach at a completely unrelated company could compromise all of your corporate apps and confidential customer data.
Every time Microsoft identified a leaked password or username, they secured that user’s account by forcing a password reset. However, even with the help of proactive, security-focused companies such as Microsoft, password and username reuse was implicated in 80% of 2019’s hacking-related breaches.
To help protect your business, we’ll be sharing 4 steps you can take to ensure that a completely unrelated website, app or service doesn’t leak your employees’ passwords.
Password reuse: Is my business at risk?
According to LastPass’ 2019 Global Password Security Report, the average employee reuses a password 13 times – that’s 13 opportunities for hackers to gain access to your corporate accounts and data!
Password reuse represents a huge security risk for businesses of all sizes, and spanning all industries, but there’s a few factors that can put your business at greater risk. If you’re an SMB (Small Medium Business) with less than 1,000 employees, then your staff are far more likely to reuse their passwords, compared to companies with over 1,000 staff. With 60% of SMBs closing their doors following a cyber-attack, a data breach at an unrelated company has the potential to destroy your business.
LastPass also found that businesses in the technology, software, media and advertising sectors were at the greatest risk of password reuse. If your businesses specializes in media or advertising, then your employees are twice as likely to reuse their passwords, compared to all other industries.
Do you operate in a high-risk industry? Or do you fall into the SMB bracket? The good news is that no matter how great your risk there are steps you can take to help protect your business from password reuse.
1. Arrange some staff training
If you’re going to reduce password reuse, then your staff need to be aware of the dangers.
It’s common knowledge that we should all be using long, complex and unique passwords for all of our accounts. However, your employees probably already have a long list of passwords that they’re struggling to remember, so even the most security-conscious and tech-savvy employee will sometimes be tempted to take shortcuts.
Perhaps an employee uses a slight variation on the same password; maybe they’ve created a handful of long, complex and obscure passwords that they assign to their accounts at random; or perhaps they don’t see a major issue with using the same password for accounts that are completely unrelated.
To help keep your business safe, your employees need to understand that any kind of password reuse poses a huge risk to your business. Forwarding your employees this article is a great place to start, but we’d also recommend sharing Microsoft’s research into the dangers of password misuse.
If you’re serious about protecting your business, then you may also want to arrange some formal security training, such as our phishing mitigation services – or why not schedule a consultation with one of our specialist engineers, who can work with you to devise a training plan that’s uniquely tailored to your needs?
2. Create a password blacklist using Azure
Reusing passwords across multiple accounts puts your business at risk, but you’re particularly vulnerable if your employees reuse any of the most common passwords.
A password spray attack is where a hacker attempts to gain access to a large number of accounts, by trying all of the most commonly-used passwords. Hackers typically use a single password against one account before moving onto the next account, which makes spray attacks notoriously difficult to detect. Once a hacker has identified a user’s password, they’ll immediately have access to any other accounts where they’ve used the same password.
According to Microsoft, the following 10 passwords are the most commonly-used in spray attacks:
Hopefully, none of your staff think that protecting their corporate account with “123456” is a good idea, but why take the risk? To keep your business safe, you should assume that at least one of your employees will use an insecure password at some point.
You can guarantee that none of these passwords will ever be used in the workplace, by creating a banned password list. With this list in place, your employees will see an error message if they ever attempt to use an insecure password.
You can build a banned password list in the Microsoft Azure:
- Sign into the Azure Portal.
- Select “Azure Active Directory.”
- In the left-hand menu, choose “Security,” followed by “Authentication methods > Password protection.”
- Find the “Custom banned passwords” section and push its accompanying slider into the “On” position.
- Enter all the passwords that you want to ban. In addition to the top 10 most commonly-used passwords, we’d also recommend banning Office-themed passwords, such as “Office2020,” “Azure20” or “Microsoft2020.”
- When you’re happy with your list, click “Save.”
3. Consider investing in a password manager
Think of all the password-protected apps, websites, and services you use in a typical week.
Assuming you created a unique password for each account, you probably have a tonne of passwords that you need to remember – and your employees are exactly the same! Asking your staff to add just one more long, complex and unique password to their list may seem reasonable, but the chances of them reusing an existing password are high.
You can encourage your employees to create unique passwords, by giving them access to a reliable password manager. By storing their passwords in an app, your employees can create long, complex and unique passwords for every single account without ever forgetting their login details.
There’s countless password managers on the market, but some popular options include Dashlane, LastPass, and Sticky Password. If you invest in a premium or enterprise password manager, then you may want to make this app available to your employees outside of the workplace. When it’s easy for your employees to use unique passwords in their work and personal life, they’ll be far less likely to reuse the same password for any app, service or website.
4. Boost your security by 99.9%
Strong, unique passwords can help protect your organization from digital attacks, but hackers are always coming up with new and sophisticated ways to steal your passwords.
Even if you follow all the advice in this article, hackers may still be able to trick your employees into exposing their passwords as part of a phishing scam, or they may use keystroke logging malware to record an employee’s password remotely.
With Microsoft recording over 300 million fraudulent sign-in attempts every single day, you shouldn’t rely on passwords alone to protect your organization.
Multi-Factor Authentication (MFA) can add a powerful additional layer of security to your organization, by requiring users to enter their password and then pass an additional security check. For example, an employee may be asked to enter a one-time PIN code that’s sent to their smartphone or perform biometric authentication using their fingerprint.
With MFA in place, a third party will be unable to access your confidential data and corporate applications, even if they have the correct password.
“Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA,” said Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft.
You can instantly protect your business from the majority of password-based attacks, by making MFA mandatory across your entire organization:
- Log into the Microsoft 365 admin center.
- In the search bar, type “multi” and then select “Azure multi-factor authentication settings.”
- Choose “Manage multi-factor authentication.”
- Select all the accounts where you want to enable MFA.
- Towards the right side of the screen, select “Enable.”
- In the subsequent popup, select “Enable Multi-Factor Authentication.”
- Select all the accounts where you want to make MFA mandatory.
- Click the “Enforce” link.
- When prompted, select “Enforce Multi-Factor auth.”
All of your employees will now be required to setup MFA, in order to access their accounts.
How secure is your business?
By following the techniques in this article, you can greatly reduce the risk of a malicious third party gaining access to your corporate apps and confidential customer data.
For more tips on how to keep your business safe, check out some of our other security blogs:
- Top 7 Ways to Secure Microsoft 365
- BYOD is Putting Your Business at Risk: 6 Ways to Keep Your Data Safe
- Do Ex-Employees Still Have Access to Your Data?
- Why Millennials are the Biggest Threat Facing Your Business
Or, why not let us do the hard work for you by claiming your free security assessment? Our team of specialist engineers will evaluate your business using Microsoft’s latest security tools, and provide a bespoke plan for boosting your business’ security.
Claim Your One Month FREE Trial of Microsoft 365 E5 Today.
Speak to a member of our team today 0114 292 2911 or email firstname.lastname@example.org if you need any assistance.
Share this article on social media
If you found this article useful, please share it on social media.
Subscribe to our blog…
We will only use your email to send you new blog posts.