Microsoft’s decision to reset the passwords of 44 million accounts, is actually a good thing. If your account is affected, thank Father Gates, because Microsoft is alerting you to the fact that it searched a database of more than three billion leaked accounts and found information belonging to yours.
Microsoft has been forcing account resets for a good chunk of 2019. Whether you’ve been asked to create or new password or not, a recent security intelligence report from Microsoft offers the following suggestions for those looking to give their protect their accounts even more going forward:
“Given the frequency of passwords being reused by multiple individuals, it is critical to back your password with some form of strong credential. Multi-Factor Authentication (MFA) is an important security mechanism that can dramatically improve your security posture. Our numbers show that 99.9% of identity attacks have been thwarted by turning on MFA. You can learn about Microsoft Azure MFA here. Microsoft also offers solutions to protect customers from breach replay attacks. This includes capabilities to flag users as high risk and inform the administrator to enforce a password reset.”
Account security is your job, not Microsoft’s
Honestly, Microsoft shouldn’t have to do this. I’m glad they are, and I wish all companies were as diligent about protecting their users’ logins. But you have this power, too.
First, you should always enable two-factor authentication on any account that offers it, period. It’s easy to figure out which companies and services let you do this, and it takes a trivial amount of time to set up. While this doesn’t guarantee perfect security, it makes it a lot harder for an attacker to break into your account even if they know your login and password.
Next, head on over to Have I Been Pwned? and throw in the email address you use for your accounts—probably your primary email address. Pull up your accounts for any services that appear on the list of breaches and change their passwords. (And check to see if those services offer 2FA, too.)
If you’d rather automate this, you have plenty of options. Tools like Firefox Monitor and Google’s Password Checkup can let you know when your account credentials are involved in a breach. Popular password managers like 1Password, LastPass, and KeePass (with a plugin) can also notify you when your saved credentials have been compromised.
There’s really no reason why you shouldn’t be using a password manager nowadays. Yes, many of the best options (e.g., 1Password) cost money ($4/month), but the convenience and security is money well spent. If you’d prefer not to spend money, LastPass offers a basic version for free
Stop using the same damn password
Beyond these steps, the usual password rules apply. Use password managers (or your favourite online generator) to create long, strong, complex passwords that you can store in your favourite password manager. Each site and service should get a unique password; if you’re lazy and use the same password for multiple sites, one breach and you’ll have to change all your passwords again.
(I’m currently dealing with this, as I have…too many services that I’ve been using similar passwords to access, and I’ll be spending part of my holiday break changing all of them. I’m not looking forward to it.)
But really, that’s it. It’s not that hard to keep yourself well-protected against most hacks that expose your account credentials. It only takes three steps:
Use unique passwords for every site and service
Enable two-factor authentication everywhere you can
Find a way to stay on top of account hacks, and change your passwords whenever they’re compromised
While this doesn’t mean that you’ll never find yourself having a bad day because of a security breach—especially if someone finds a way to break into your password manager or otherwise find a way to break into your two-factor authenticator app—I’m pretty confident in saying that these three steps should keep you safe for most of the account issues you’ll encounter.
Yes, you can get even more wild and start protecting yourself with hardware tokens and what-have-you, but if everyone took these basic measures, imagine how much safer the world’s accounts would be. Dramatic? Yes, but important.