Another dark month for passwords

An image of a person at the computer in a dark room.

January 2024 has just come to an end, and it was a dark month for our collective use of passwords. Nowadays, it’s common to get information about breaches and leaks on regular news channels, and during the past month, these two significant security announcements have been reported:

  • Microsoft Email Breach: Russian hackers (backed by the Russian state) broke into Microsoft email systems and accessed senior leadership members and the company’s cybersecurity team accounts. The hackers used password spraying, which is using a single password when signing into multiple accounts.
  • The mother of all breaches (MOAB): MOAB exposed a mind-blowing 26 billion records of sensitive information from many popular sites such as X, LinkedIn, DropBox, Adobe and many more.

Who is affected?

In Microsoft’s case, it seems that only the company’s internal systems and operations are affected. For MOAB, anyone who has ever used any of the 3 800 services or apps included in the data set is at risk. You’re at extra high risk if you tend to use the same password across multiple services, which most of us are. Password reuse is what makes the information so valuable to hackers.

What can you do?

First of all, we recommend you check if your data has been compromised at Have I Been Pwned. Go through your affected websites and update them with a new strong password. Also, ensure you do this for all websites where you have used the same password. If you’re not using a password manager, we recommend using 1Password or any other solution. We like 1Passwords Watchtower, which automatically checks for vulnerabilities to help you stay secure.

Make sure you use multi-factor authentication (MFA) wherever possible and even start to adopt passkeys for even better security.

What can you do for your business?

You should, of course, use MFA for all business users or go for passwordless alternatives such as passkey or other solutions. By using an enterprise password manager, such as 1Password, it is possible to increase the usage of better passwords among all employees.

We also believe firmly in reducing the usage of passwords, at least the number of places where a new unique password is needed. Authway is built to use existing identities in digital cooperation between organisations. We have simplified connecting your customers, partners, and other parties to your digital services without forcing users to create new accounts. Instead, we use their existing accounts protected by their work organisation.

Are you afraid that it is complicated? It used to be, but for all parties that use Microsoft Entra (former Azure AD, used in M365), we only require a single piece of information, and then it just works. Start with those, and the number of passwords you must protect has decreased enormously.

PS! If you need to support passwords, we can still increase the security. For example, Authway supports checking the password against Have I Been Pwned.

To learn more about Authway, contact us today.

Eric Quist