Think Information. Think Security.
About 20% of Microsoft Account logins are found on lists of compromised credentials in the wake of hack attacks on other service providers. Microsoft Account group manager Eric Doerr noted in a blog post on Sunday after the Yahoo breach last week that exposed 400,000 user details. That People re-use passwords and login details across services from different providers  is compromised and other accounts are at risk. 

Doer revealed the figure in a run-down of some Microsoft Account security practices, meant to reassure customers after the Yahoo hack. Microsoft Account is a single sign-on tool for Microsoft services such as SkyDrive, Hotmail, Xbox and Messenger.

Comparing lists

Microsoft regularly gets lists of compromised third-party login details from ISPs, law enforcement and vendors, as well as from lists published on the internet by hackers. This information is checked against Microsoft login details using an automated process to check for any overlap. While 20 percent is the average, in one recent breach it was only 4.5 percent. The company also uses behavioural monitoring technology similar to that used by banks to log patterns of access and location, to see if an attempted login is suspicious. The technology can block the attempt, or ask an additional identity question to decide whether to grant access.
Tightening security

The Microsoft Account team is working on tightening up security. The current 16-character limit on password length is set to increase, to make brute force attacks more difficult, for example. However, Microsoft is having problems making passwords longer because of its ecosystem, for historical reasons, the password validation logic is decentralised across different products. Yahoo, Gmail, Hushmail, Yandex and MyOperaMail all allow passcode lengths of 30 characters, as one Microsoft account holder, MondayBlues, pointed out in a comment.

Cross-posted from: ZD Net

Leave a Reply.