Eric Doerr of The Windows Blog published a blog on keeping your Microsoft Account more secure. One of the things he points out is that about one in five users reuse passwords across multiple services, the company knows this because they frequently receive lists of compromised external account info from different sources like ISPs and law enforcement agencies. Full details over here.
When we get a list, first, we check to see if it actually matches any accounts and passwords in our system. This is done in an automated and secure way so no human actually sees the account info of our customers.
You’d be surprised how often the lists – especially the publicly posted ones – are complete garbage with zero matches. But sometimes there are hits – on average, we see successful password matches of around 20% of matching usernames. A recent one only had 4.5% overlap. This is actually exciting because it means that, on average, 80% of our customers are following safe password practices, and this reflects a growing sophistication in our customers.
Next, we look to see if there is evidence of criminal activity, like sending spam. If we do see signs of criminal activity, we suspend the account and ask the rightful owner to go through account recovery to regain control. In other cases we simply ask the customer to change their password (before any harm can be done)...