Microsoft have published an excellent article on the Azure Active Directory Identity Blog titled Your Pa$$word doesn’t matter.

Although it gets pretty technical at times, if you’re interested in security, I recommend at least skimming it.

If you want my one paragraph summary, it is this:

Passwords are fundamentally broken. Unless you take fairly extreme measures with passwords, your account can be hacked.

If an attacker steals an encrypted password database, there are systems they can build (either physically, or in the cloud) that can crack 100 Billion passwords per second using a common hash function for $30k ($20k USD)

There are publicly available lists of passwords that have been exposed in the many breaches over the years with over 500 M actual passwords that people are using.

The $30k cracking rig can test every password on that list against an a 200 encrypted account passwords in a database in just one second.

70% of passwords people use are on this list. That means that a determined attacker could reasonably break 140 accounts per second.

Further, if they had to guess completely random passwords, they can try every single eight-character password (with lower-case, upper-case, numbers and symbols) in less than 24 hours.

Nine characters takes around 100 times longer, around three months. Ten characters takes 21 years.

From this, one key take-away message is that longer is better with passwords. Substituting letters with $ymb01s is of very limited use. Complex passwords are really no more difficult for computers to guess – hackers know all the rules you use to make them. Long passwords take exponentially longer to guess – it’s the best protection.

The other, and possibly more important, message is that multi-factor authentication (either with an app, a security key or an SMS message) prevents over 99% of all account hacks.

Even if someone has your password (which, as we’ve seen, is not difficult to steal or guess), without having that 6-digit randomly changing code number, it’s impossible to log in. Further, with multi-factor enabled, if someone does have your password and tries to log in, you will be alerted with a message on your phone, or an SMS message, with the code. This will immediately alert you to a breach and you can change your password.

If you want to enable MFA on your accounts (and you really should) then talk to us and we’ll walk you through the process.