Microsoft: 99.9% of compromised accounts did not use multi-factor
Microsoft: 99.9% of compromised accounts did not use multi-factor
Posted: 06 Mar 2020
Speaking at the RSA security conference last week, Microsoft engineers said that 99.9% of the compromised accounts they track every month don't use multi-factor authentication, a solution that stops most automated account attacks.
The cloud giant said it tracks more than 30 billion login events per day and more than one billion monthly active users.
Microsoft said that, on average, around 0.5% of all accounts get compromised each month, a number that in January 2020 was about 1.2 million.
Hi,
Hacks don't happen on peoples computers
Hacks hit ms servers so why not fix ms servers instead of making people jump through several hoops guessing which form of password you want time to time
Pin number nope
Phone number nope
Password nope
So bottom line fix your severs security not busting peoples balls on too many security protocols
People can't remember a password okay let them remember 2 other items too
Computer Type: PC/Desktop System Manufacturer/Model Number: Custom assembled by me :} OS: 3-Win-7Prox64 3-Win10Prox64 3-LinuxMint20.2 CPU: i9-10900k with Optimus foundation water block Motherboard: ASUS z490 ROG XII Maximus Apex Memory: Trident-Z Royal 4000C16 2x16gb's Graphics Card: Titan Xp with copper water block Sound Card: Built in RealTek with Insignia 2.0 soundbar HSB318 Monitor(s) Displays: 1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24" 144Hz Screen Resolution: 1920 x 1080 144Hz Keyboard: Logitech G710+ wired Mouse: 2-RedDragon M901 Perdition 16400 dpi Gaming mouse = wired PSU: EVGA SuperNOVA 1000wP2 80+ PLATINUM Case: 2-Corsair 450D case with 2nd floor for radiator Cooling: D5 combo/ 280ce/ built in VRM copper/ 240GTX/ D5 top/ CPU Plexi copper/ GPU Plexi nickle/ Mora 360 Hard Drives: 1-970 evo 500gb M.2/ 2-850 Pro 256gb/ 2-Samsung 850 EVO 500GB SSD's/ 2-2.5 W.D. Black 750gb/3-3.5 WD Black 1tb hdd's Internet Speed: Comcast Ping 19ms 179.31mbps download speed 6.12mbps upload Browser: PaleMoon & Firefox Antivirus: Malwarebytes Pro
Computer Type: PC/Desktop System Manufacturer/Model Number: Custom assembled by me :} OS: Win-7-Prox64 10pro CPU: i9-9940x with Optimus SigV2 water block & Heatkiller VRM Plexi copper water block Motherboard: Asus x299 Rampage VI Apex Memory: Trident Z 3600C16 4x8gb's F4-3600C16Q-32GTZKK Graphics Card: 1080ti FTW3 with water block Sound Card: Built in Realtek HD with Insignia 2.0 soundbar HSB318 Monitor(s) Displays: ASUS VG248QE 24" 144Hz Screen Resolution: 1920x1080 Keyboard: Logitech G910 Orion Spectrum Mouse: RedDragon M901 Perdition 16400 dpi Gaming mouse = wired PSU: EVGA SuperNova 1200wP2 Platinum Case: Corsair 450D Black with 2nd floor to house radiator Cooling: D5 reservoir combo/ 280GTX/ VRM plexi copper/ 280GTX/ D5 top/ CPU plexi copper/ GPU copper/ Mora 360 Hard Drives: 1-970 Evo Plus M.2 500gb/ 850 Pro 256gb/ 2-860 Pro 250gb/ Samsung 850 Pro 256gb/ several Western digital 1tb & 750gb hdd's couple Samsung 500gb evo's Browser: Palemoon/ Firefox Antivirus: mbam premium
Interesting article[s] but I agree with ThrashZone. Server protection could be significantly enhanced merely by the application of measures that MS introduced in Office 2010 file-open passwords [but wisely did not quantify] - deliberately slowing down the response speed of MS servers to each login attempt to a level that precludes brute force / dictionary attacks because they would be too slow for any practical purpose. And how many legitimate users would even notice, let alone be heartbroken by, an MS login that took 0.5secs rather than 0.5msecs [or whatever the real numbers might be]?
I think the MS marketing department wrote the conclusions to the investigation anyway - they want to sell businesses more security keys as well as the server software & the technical support contracts that go with them. The conclusion could so easily have been different and more closely related to the individual findings that were reported
- use strong passwords,
- do not use the same password for more than one purpose,
- roast the knackers of anybody going through your desk or illicitly looking over your shoulder.
Computer Type: Laptop System Manufacturer/Model Number: Dell Inspiron 7779; HP Pavilion TP01-0026na desktop; Chuwi Hi10 Pro OS: Windows 10 Home x64 Version 22H2 Build 19045.4170 Internet Speed: 4G, AX WISP router and AX phone hotspot Browser: Firefox, some use of Edge Antivirus: Defender
Hi,
Hacks don't happen on peoples computers
Hacks hit ms servers so why not fix ms servers instead of making people jump through several hoops guessing which form of password you want time to time
Actually, it's an individual's account/s on the servers that get breached. My view is that it's up to the individual to take more responsibility for account security, as far as they are able to. Use of strong unique passwords and 2FA/MFA is hardly a novel idea, nor onerous. There are plenty of free tools that can help this be achieved too.
Computer Type: PC/Desktop System Manufacturer/Model Number: Golden Mk. I.4 OS: Windows 10 Pro x64 CPU: Intel Core i7 860 @ 2.4 GHz Motherboard: Gigabyte P55A-UD3R Rev.1. Award BIOS F13 Memory: 16GB Corsair Vengance DDR3 @ 661 MHz Dual Channel (9-9-9-24) Graphics Card: EVGA NVidia GTX 560 1024MB Sound Card: Realtek Integrated Monitor(s) Displays: Dual Samsung SyncMaster 2494HS Screen Resolution: 1920 x 1080 Keyboard: Logitech G110 Mouse: Logitech MX518 PSU: Thermaltake ToughPower QFan 750W Case: Thermaltake Element S VK60001W2Z Cooling: Corsair H60 Water Cooling, 2*230mm and 2*80mm case fans Hard Drives: 1*Samsung 840 EVO 120GB SSD;
1*Samsung 850 EVO 120GB SSD;
2*Samsung F3 SpinPoint 1TB in RAID0;
1*Samsung F1 SpinPoint 1TB;
2*Western Digital 1TB External USB 3.0 Internet Speed: 50Mb Up ; 20Mb down Browser: Chrome Antivirus: Windows Defender + malwarebyes
Computer Type: Laptop System Manufacturer/Model Number: MacBook Air OS: Windows 10 Pro Build 1909 Build 18363.657 (BootCamp) Browser: Chrome + FireFox Antivirus: Microsoft Defender
Hi,
Hacks don't happen on peoples computers
Hacks hit ms servers so why not fix ms servers instead of making people jump through several hoops guessing which form of password you want time to time
Pin number nope
Phone number nope
Password nope
So bottom line fix your severs security not busting peoples balls on too many security protocols
People can't remember a password okay let them remember 2 other items too
I realize that I am taking a big risk here now, maybe even risking my presence on this virtual home of mine, but this must be said:
What an incredibly stupid and idiotic comment you posted!
Golden said:
Actually, it's an individual's account/s on the servers that get breached. My view is that it's up to the individual to take more responsibility for account security, as far as they are able to.
Computer Type: Laptop System Manufacturer/Model Number: HP ENVY 17-1150eg OS: Windows 10 Pro CPU: 1.6 GHz Intel Core i7-720QM Processor Memory: 8 GB Graphics Card: ATI Mobility Radeon HD 5850 Graphics Sound Card: Beats sound system with integrated subwoofer Monitor(s) Displays: 17" laptop display, 22" LED and 32" Full HD TV through HDMI Screen Resolution: 1600*900 (1), 1920*1080 (2 & 3) Keyboard: Logitech diNovo Media Desktop Laser (bluetooth) Mouse: Logitech Performance Mouse MX Cooling: As Envy runs a bit warm, I have it on a Cooler Master pad Hard Drives: Internal: 2 x 500 GB SATA Hard Disk Drive 7200 rpm
External: 2TB for backups, 2*3TB USB3 network drives for media Internet Speed: 100/20 Mbps VDSL Browser: Maxthon 3.3.4.1000, IE 11.0.9879.0 Antivirus: Windows Defender 4.7.9879.0
Computer Type: PC/Desktop System Manufacturer/Model Number: HP Pavilion desktop TP01-0014 (master) OS: Win 10 home 20H2 19042.1110 Monitor(s) Displays: Viewsonic VA1917 series Screen Resolution: 1366 x 768 Browser: Firefox and IE Antivirus: Avira Other Info: Running 2 HP desktops both new in August & November 2019
Computer Type: PC/Desktop System Manufacturer/Model Number: HP Pavilion 590-p054 OS: Win 10 home 19042.1110 Browser: Firefox Antivirus: Avira Prime
I realize that I am taking a big risk here now, maybe even risking my presence on this virtual home of mine, but this must be said: What an incredibly stupid and idiotic comment you posted! Kari
Hi,
Making you react like you did to something is spot on why it was posted as is
Computer Type: PC/Desktop System Manufacturer/Model Number: Custom assembled by me :} OS: 3-Win-7Prox64 3-Win10Prox64 3-LinuxMint20.2 CPU: i9-10900k with Optimus foundation water block Motherboard: ASUS z490 ROG XII Maximus Apex Memory: Trident-Z Royal 4000C16 2x16gb's Graphics Card: Titan Xp with copper water block Sound Card: Built in RealTek with Insignia 2.0 soundbar HSB318 Monitor(s) Displays: 1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24" 144Hz Screen Resolution: 1920 x 1080 144Hz Keyboard: Logitech G710+ wired Mouse: 2-RedDragon M901 Perdition 16400 dpi Gaming mouse = wired PSU: EVGA SuperNOVA 1000wP2 80+ PLATINUM Case: 2-Corsair 450D case with 2nd floor for radiator Cooling: D5 combo/ 280ce/ built in VRM copper/ 240GTX/ D5 top/ CPU Plexi copper/ GPU Plexi nickle/ Mora 360 Hard Drives: 1-970 evo 500gb M.2/ 2-850 Pro 256gb/ 2-Samsung 850 EVO 500GB SSD's/ 2-2.5 W.D. Black 750gb/3-3.5 WD Black 1tb hdd's Internet Speed: Comcast Ping 19ms 179.31mbps download speed 6.12mbps upload Browser: PaleMoon & Firefox Antivirus: Malwarebytes Pro
Computer Type: PC/Desktop System Manufacturer/Model Number: Custom assembled by me :} OS: Win-7-Prox64 10pro CPU: i9-9940x with Optimus SigV2 water block & Heatkiller VRM Plexi copper water block Motherboard: Asus x299 Rampage VI Apex Memory: Trident Z 3600C16 4x8gb's F4-3600C16Q-32GTZKK Graphics Card: 1080ti FTW3 with water block Sound Card: Built in Realtek HD with Insignia 2.0 soundbar HSB318 Monitor(s) Displays: ASUS VG248QE 24" 144Hz Screen Resolution: 1920x1080 Keyboard: Logitech G910 Orion Spectrum Mouse: RedDragon M901 Perdition 16400 dpi Gaming mouse = wired PSU: EVGA SuperNova 1200wP2 Platinum Case: Corsair 450D Black with 2nd floor to house radiator Cooling: D5 reservoir combo/ 280GTX/ VRM plexi copper/ 280GTX/ D5 top/ CPU plexi copper/ GPU copper/ Mora 360 Hard Drives: 1-970 Evo Plus M.2 500gb/ 850 Pro 256gb/ 2-860 Pro 250gb/ Samsung 850 Pro 256gb/ several Western digital 1tb & 750gb hdd's couple Samsung 500gb evo's Browser: Palemoon/ Firefox Antivirus: mbam premium
So bottom line fix your severs security not busting peoples balls on too many security protocols
Exactly. I recall times, when services actually emailed me about attempted failed logons. Not to mention, it was also like 5 tries and wait for 5 mins or so. This attack allowed hackers to use like a million passwords within an hour and it did not trigger any alert? I avoid 2FA as a plague, it is up to the provider to secure his server and not to store passwords in plain text and such. Paypal for example allows to use only 20 characters long password, that can be easily breached within days and I can use 200 characters long password on a forum? Unbelievable. But of course that they blame users, it is easier. ANd lets not even talk about pushed biometrics, once it is compromised, the user is done, because he can not change his eyes or fingerprints.
... only 20 characters long password, that can be easily breached within days ...
Really? That's a step change from earlier speeds. When I last looked into this a 21 character fully-random password would only have a 1 in a million chance of being brute force / dictionary cracked within the 48 hour period that many cracking services were offering as their standard service.
[actually, that's 1/1,000,000 in 25 years time as I extrapolated using an assumed doubling in processing power every year instead of the commonly-used assumption of 18 months & I assumed processing by a 4 million PC botnet / equivalent based on GPU processing capabilities].
Computer Type: Laptop System Manufacturer/Model Number: Dell Inspiron 7779; HP Pavilion TP01-0026na desktop; Chuwi Hi10 Pro OS: Windows 10 Home x64 Version 22H2 Build 19045.4170 Internet Speed: 4G, AX WISP router and AX phone hotspot Browser: Firefox, some use of Edge Antivirus: Defender
I just don't understand the resistance to 2FA, the majority of sites/applications only need to authenticate every 30 days or so and it is just so much more secure than a password alone, IMO not to use it when it's on offer is absolute stupidity.
Computer Type: Laptop System Manufacturer/Model Number: Surface Pro 3 OS: Windows 10 Pro CPU: 1.9GHz Intel Core i5-4300U (dual-core, 3MB cache, up to 2.9GHz with Turbo Boost) Memory: 4GB Graphics Card: Intel HD Graphics 4400 Monitor(s) Displays: 12" Multi Touch Screen Resolution: 2160 x 144 Keyboard: Yes Hard Drives: 128GB Browser: Chrome Antivirus: Defender/Mbam
I use Microsoft Windows Home edition Version 20H2 (OS Build 19042.630). I installed iCloud for Windows (works fine) and have two-factor authentication turned on for my Apple account.Every time I log in to iCloud, I need to request a verification...
I don't know if it's my installation, but I can't really switch to select a differet login user once I turn on my PC, and it brings to the last logged on user and his Picture password screen.
both users have a Picture password and I don't have...