Microsoft Security And Safety

Microsoft accounts are a handy way to sign in to several online platforms and services, such as sending emails with Outlook, storing files on OneDrive, working together on Microsoft Teams, and planning with Outlook Calendar.

And because the Microsoft account is used to access all those services, it’s essential to use strong Microsoft security measures to protect your account.

If you don’t secure your Microsoft account, it could quickly go from being a helpful tool to causing trouble and stress if someone gets access to it.

Your risk acceptance level should determine the measures you need to take to keep your Microsoft account secure.

Digital Security Measures Risk Acceptance Levels

Microsoft security is crucial, but it’s not the sole factor to bear in mind. 

No matter how stringent our security measures are, a Microsoft account remains vulnerable if the owner willingly discloses login credentials in a phishing scam, loses access to the 2FA method, or suffers a severe accident.

Therefore, you should strongly consider increasing your digital safety awareness and applying the necessary measures to keep your Microsoft account safe.

Digital Safety Measures Risk Acceptance Levels

Table of Contents

Important notice: Do your research.

Our content is intended to be used and must be used for informational purposes only. It is not intended to provide investment, financial, accounting, legal, tax, or other professional advice.

It is essential to research and verify any information you find on this website or any other website.

Define Your Microsoft Account Risk Acceptance Level

Before proceeding, it’s essential to evaluate your comfort with risk, considering:

– The type of assets accessible through your Microsoft account.

– The value associated with those assets.

This assessment is crucial for determining the appropriate security measures for your Microsoft account. 

For instance, a medium-level risk acceptance might find an Authenticator app as a Two-Factor Authentication (2FA) method sufficient. 

However, opting for a hardware token as a 2FA method would be a wiser choice for those with a low-level risk acceptance. 

Understanding and aligning your risk acceptance level with the security measures needed will help ensure the safety of your account.

Microsoft Risk Acceptance Matrix

Think about how you use your Microsoft account and the consequences if you lose access or the account is compromised due to a hack.

Microsoft account used for communications (e.g., Outlook):

While some people may send relatively unimportant emails (low-value accounts), many use their Microsoft accounts to send and receive emails containing sensitive information (medium or high-value accounts).

Losing access to a Microsoft account can be a great inconvenience, resulting in Personal Identifiable Information (PII) being stolen and sold to people with malicious intentions.

Or, even worse, once the hacker reads through the emails, find out what other digital platforms you use and try to access those platforms through password recovery. 

The hacker can request a recovery link to be sent to the compromised Microsoft account and take over other of your digital accounts. 

Define your Microsoft security and safety risk acceptance level (high, medium, or low) by considering the impact if someone gets access to your email communications, including all your contacts and all the attachments sent and received from your account.

Google account recovery email

Microsoft account used to access third-party applications:

A Microsoft account can be used to sign up and sign in to many digital platforms (e.g., Twitter, YouTube, etc.) and online services. Therefore, the value of a Microsoft account can be determined by assessing the number and value of platforms to which it gives access.

Losing access to a Microsoft account (e.g., forgotten credentials or hacking) can be a significant problem if that prevents access to many other digital accounts or services.

Define your Microsoft security and safety risk acceptance level (high, medium, or low) by considering the impact if someone gets access to your Microsoft account and finds out that it can be used to log into your Twitter account, YouTube account… and that malicious person temporarily takes over those platforms.

Microsoft account used for digital media monetization

Content creators can create revenue through several platforms, like monetizing a YouTube channelsor a Twitter (X) account.

A compromised Microsoft account can sometimes lead to significant personal and financial loss.

Define your Microsoft security and safety risk acceptance level (high, medium, or low) by considering the impact if someone gets access to your Microsoft account and temporarily or permanently disrupts the income you generate through that account.

Microsoft Account Low Risk acceptance Example

For example, consider John’s case, who has two Outlook accounts:

– He considers his primary Outlook account very valuable because he uses it for sending and receiving sensitive emails (e.g., receiving utility bills, receiving phone and internet bills, sending job applications with CVs containing sensitive information…). Additionally, he uses his primary account for a Microsoft 365 subscription and his Twitter account.

– The secondary Outlook account is a disposable account he uses to log in to unimportant websites. While losing access or having the account compromised would be a nuisance, it would not be a worrying loss.

John considers his primary Outlook account very valuable, so for this account he has decided to define the Microsoft security and safety risk tolerance as low and protect it using low tolerance measures like a security key 2FA.

Have you defined your Microsoft account risk acceptance level already?

If yes, you are ready to define the most adequate security and safety measures for your particular situation.

A Strong and Unique Microsoft Account Password

A strong and unique password is the first layer of security to protect your Microsoft account from hackers or any other malicious person who wants to access your account.

Microsoft account password

A Strong Microsoft Account Password

It is common knowledge that it takes just a few seconds or minutes to crack a weak password.

But, be aware that many people are under the correct assumption that their passwords are strong, which does lead to accounts being hacked.

It would be best to learn how to create a strong password that can resist brute-force attacks for many years.

Strong and Unique Passwords

How long will your password resist
GOOD PARCTICES

Of course, the strongest the password is, the more complex it is, and the more challenging it is to remember and type it when required by your Microsoft account. Therefore, your password should match your risk tolerance level:

– Very weak password: Under 64 bits

– Weak password: 64-80 bits

– Moderately strong password: 80-112 bits

– Strong password: 112-128 bits

– Very strong password: Over 128 bits

A moderately strong password with 85 bits of entropy (password entropy calculator) contains the following:

– Lowercase Latin letters: 5

– Upper case Latin letters: 3

– Digits: 3

– Special characters: 2

A strong password with 117 bits of entropy contains the following:

– Lowercase Latin letters: 7

– Upper case Latin letters: 5

– Digits: 3

– Special characters: 3

A very strong password with 131 bits of entropy contains the following:

– Lowercase Latin letters: 2

– Upper case Latin letters: 6

– Digits: 9

– Special characters: 3

A Unique Microsoft Account Password

You must be aware that there is a high probability that, sooner or later, some of your personal information (e.g., email address, password) will be exposed due to a data breach.

Once a data leak happens, malicious people will sell and re-sold your data to other evil people, and you will most likely be the target of a hack or spear phishing attack.

If you reuse one or two passwords for all your accounts, once they are leaked through a data breach, your account will be susceptible to being hacked or phished.

This is because of password dictionaries, which are lists of leaked passwords available online. 

Using such lists is a dictionary attack, a hacker’s technique to break into your Microsoft account before moving on to a brute-force attack. 

If your digital security risk tolerance is medium or low, you should consider having (and maintaining) unique passwords for each of your digital accounts.

But if your digital account security risk is low, you may feel comfortable reusing several accounts’ passwords.

Invisible Ink

Enhanced Security for Your Passwords or Secrets
GOOD PARCTICES

For low, medium, or high-risk tolerance, your Microsoft account maintenance plan should include periodic reviews of sensitive data leaks. More information is below.

If you have decided to reuse passwords, an early threat identification will allow you to take steps to change the compromised password as soon as possible.

Metamask Wallet Auto Log Off

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Metamask Wallet Password Backup Safe Storage

Because you follow the good practice of having strong and unique passwords for each of your accounts, you may need to take note of the passwords in case you forget one, including your Microsoft account password.

And, of course, your password backup must be safely stored, away from anyone who will use them for their advantage. Which means everyone expects your most trusted family members.

Home Safe Box

A layer of protection fro your physical and digital wealth
GOOD PARCTICES

If you don’t have or cannot have a home safe box, you may consider alternatives, like using an encryption technique to ensure that the data remains protected in case someone gets access to the written information.

Enhance Microsoft Security With Two-Factor Authentication

Two-factor authentication (2FA) should be a must-to-have security feature for every Microsoft account. 

Because there are very convenient and free-to-use options that can be easily implemented.

In the following sections, we briefly describe the 2FA methods that can be used to enhance Microsoft security.

Microsoft Account Sign In Verification

SMS Authentication

SMS is the weakest type of 2FA, but it is free and requires no specific software, additional hardware, or maintenance.

Even people with high-risk tolerance should consider setting up SMS if any other 2FA factor methods are unsuitable.

Microsoft account phone code verification

SMS 2FA Advantages:

– Free

– Do not require additional software or hardware

– Many services offer SMS 2FA, making it widely accessible to users.

SMS 2FA Disadvantages:

– No backup possibility, so if the SIM card is damaged or lost, it may take time to get a replacement.

– It is the weakest type of 2FA and is prone to SIM swap attacks.

SIM swaps are a system used by hackers and scammers to take over your SIM 2FA and break into your digital accounts. Mainly to get access to your financial assets.

SIM Swap Attack

Learn how hackers and scammers take over your SMS 2FA
MEDIUM

Prompt Notification

As described in ‘Learn about Windows Hello and set it up‘:

‘Windows Hello is a more personal, more secure way to get instant access to your Windows 10 devices using a PIN, facial recognition, or fingerprint. You’ll need to set up a PIN as part of setting up fingerprint or facial recognition sign-in, but you can also sign in with just your PIN.

These options help make it easier and safer to sign into your PC because your PIN is only associated with one device and it’s backed up for recovery with your Microsoft account. ‘

Prompt Notifications Advantages:

– Windows Hello employs biometric authentication, including facial recognition or fingerprint scanning, offering a higher security level than traditional passwords.

– Users can easily log in to their devices without memorizing and inputting complex passwords, enhancing user convenience.

– The prompt notification facilitates a faster authentication process, reducing the time required to access the device and improving the overall user experience.

Prompt Notifications Disadvantages:

– Windows Hello needs compatible hardware, such as a camera or fingerprint scanner, which may not be available on all devices. This could limit the accessibility of Windows Hello on specific systems.

– Some users may have concerns regarding collecting and storing their biometric data, even though Windows Hello is designed to protect and encrypt this information to mitigate privacy risks.

– Windows Hello may not be universally supported by all applications or services, potentially restricting its utility in specific scenarios. Users may encounter limitations depending on the applications they use.

Microsoft Authenticator App

Authenticator apps, like Microsoft Authenticator or Google Authenticator, are free to download, install and use.

They are usually installed on mobile devices, so most people can have this authentication method up and running without hassle.

Two-factor authentication apps can be a viable option for those people with medium Microsoft security and safety risk tolerance levels.

Authenticator Apps Advantages:

– It is free

– It is a safer method than SMS authentication

– Authentication apps generate time-sensitive codes that are not easily intercepted.

– Authentication apps work even without an internet connection once set up.

– Creating a backup system for easy and fast recovery is possible if the mobile device is lost or damaged.

Authenticator Apps Disadvantages:

– It is not a hack-proof system and may not be able to protect the user from Man-in-the-Middle (MitM) type of attacks.

– There can be security concerns if the device where the authentication app is installed is lost or compromised.

Man-in-the-Middle Attack

Learn how hackers can steal login credential and bypass 2FA
MEDIUM

Microsoft 2FA Mobile Device Lost

As described by Microsoft in ‘Back up and recover account credential in the Authenticator app‘: 

‘ The Microsoft Authenticator app backs up your account credentials and related app settings, such as the order of your accounts, to the cloud. You can then use the app to recover your information on a new device, potentially avoiding getting locked out or having to recreate accounts.

iPhone Backup

Each backup storage location requires you to have one personal Microsoft account, and iOS requires you to also have an iCloud account. You can have multiple accounts stored in that single location. For example, you can have a personal account, a work or school account, and a personal, non-Microsoft account like for Facebook, Google, and so on.’ 

Apps using iCloud

Microsoft 2FA Mobile Device Stolen

If your mobile device is stolen, you can restore your Microsoft Authenticator account to a new one. 

Still, you should strongly consider erasing the stolen device immediately. 

Erase Apple device Iphone

As described in ‘Common questions about the Microsoft Authenticator app‘:

‘Adding Authenticator to your new device doesn’t automatically remove the app from your old device. Even deleting the app from your old device isn’t enough. You must both delete the app from your old device AND tell Microsoft or your organization to forget and unregister the old device.

  • To remove the app from a device using a personal Microsoft account, go to the two-step verification area of your Account Security page and choose to turn off verification for your old device.

  • To remove the app from a device using a work or school Microsoft account, go to the two-step verification area of either your My Apps page or your organization’s company portal to turn off verification for your old device.’

Security Keys

Security keys, also known as security keys, hardware keys, or hardware tokens, are physical devices that provide an additional layer of security for online accounts. They are used as a form of two-factor authentication (2FA).

Hardware keys are considered one of the safest 2FA methods for the following reasons:

– Phishing Resistance: Hardware keys resist phishing attacks because they rely on cryptographic challenges and responses that attackers cannot easily intercept or replicate.

– Physical Possession Requirement: An attacker would need physical possession of the hardware key to compromise the authentication, adding an extra layer of security compared to methods that rely solely on codes sent to a user’s mobile device.

– No Dependency on Mobile Networks: Unlike text messages or app-based authentication, hardware keys do not depend on mobile networks or internet connectivity, making them more reliable in various situations.

– Tamper-Resistant: Hardware keys are designed to be tamper-resistant, making it difficult for attackers to manipulate or clone the device.

– Simple and Convenient: They are user-friendly and often involve a simple action, such as plugging in the USB key or tapping it on a device.

Microsoft Security Key

Security Keys Advantages:

– The safest 2FA method

– Hardware keys are not tied to a specific device, reducing the risk of device-related compromises.

– Hardware keys provide the highest protection against phishing and other attacks.

Security Keys Disadvantages:

– Hardware keys must be purchased, and they can be costly

– It is highly advisable to purchase a spare hardware key, and that adds more cost

– Some services may not support hardware keys, limiting their universal application.

Yubi key

Some of the best and most well-known security keys.
2FA KEYS

Thetis key

An affordable option protected by aluminum casing.
2FA KEYS

Microsoft Account Maintenance Plan

You may not need to have a Microsoft Account Maintenance Plan. But it is highly recommendable to check the health of your Microsoft account, even if it is only a couple of times per year. 

Your Microsoft Account Maintenance Plan should contain the following:

–  A periodic review* to ensure that no foreign devices have been added to your account. Because this can be an indication of a security breach

A periodic review* to review recent activity and flag any unfamiliar activity so you can quickly react in case of a potential security breach

A periodic review* of third-party applications granted access to your account. Because any unfamiliar third-party application can be an attempt to access or monitor your Microsoft account data

A periodic review* of leaked info on the dark web that can lead to spear phishing attacks using the leaked data.

* Your risk acceptance levels should define the period between reviews. A low-risk acceptance level would require frequent reviews, while very sporadic reviews may be sufficient for a high-risk acceptance level.

Review in What Devices You Are Signed In

Regularly reviewing the list of devices that have access to your Microsoft account ensures that you can quickly identify any authorized device that does not belong to you.

An early identification of a foreign device will allow you to take action to minimize the impact. Because the longer someone has access to your account, the more damage can be done.

Microsoft Registered Devices

Recent Activity Review

By regularly reviewing the recent activity log, you can detect any unauthorized access or suspicious behavior.

As can be appreciated in the picture below, this user’s account is under a brute force attack by receiving several sign-in attempts from different locations.

This user has two options:

– Fortify the account with a strong password and 2FA

– Back up any important data from the account, open a new Microsoft account, and close the old Microsoft account.

Third-Party Connections Review

While third-party connections can enhance your Microsoft account’s functionality, they pose potential security risks.

You can minimize vulnerabilities and maintain a secure online presence by periodically reviewing controlling access and permissions.

As a rule of thumb, for medium or low-risk tolerance levels, do not grant any third-party connections that may have access to sensitive information. Do not grant access to any third-party application that can alter a Microsoft account.

In your Microsoft account, you can review what Android and iOS devices are linked to your account.

Microsoft Android and iOS Device Management

As well as reviewing which devices you have downloaded apps and games.

Microsoft Store Device Management

Review Your Microsoft Account Presence in the Dark Web

“Have I Been Pwned” (HIBP) is a website that allows users to check whether their data, such as email addresses or passwords, has been compromised in data breaches. 

Email data breach.

Here’s how you can use HIBP to check for Microsoft account data leaks and other threats:

Visit the Website:

Go to https://haveibeenpwned.com/ using your web browser.

Check Email Address:

On the homepage, enter the email address associated with your Microsoft account into the search bar.

View Results:

HIBP will provide information about whether your email address has appeared in known data breaches. If your email address has been compromised, the site will display details about the violations and the data types exposed.

Check Passwords:

HIBP also allows you to check if your passwords have been compromised. This is particularly important if you’re using a password associated with your Microsoft account across multiple services. You can enter passwords directly or use the “Passwords” section on the website.

Set up Notifications:

HIBP offers a “Notify me” feature that allows you to receive notifications if your email address appears in future data breaches. This can help you stay informed about potential threats.

Use Other Features:

Explore other features on HIBP, such as the “Domain Search” that lets you check if a specific domain has been involved in data breaches. This is useful for organizations containing their corporate email domains.

Microsoft Account Recovery Plan

If you forget your password and don’t have a safe copy stored in a safe place.

Or if you lose access to the device used for two-factor authentication.

Then, you need an alternative method to log into your Microsoft account, like using a backup code, a recovery phone, or a recovery email.

You must know what options exist to recover a Microsoft account and ensure they are set up and ready to use when needed.

Microsoft Account Recovery Code Generation and Safe Storage

If you cannot access your Microsoft account because you have forgotten your password or for other reasons, you can use the recovery code you wisely created and safely stored for such eventuality.

But make sure to store the recovery code safely. Because if someone with malicious intentions gets access to it, your Microsoft account may be compromised.

Microsoft account recovery code

Microsoft Account Recovery Phone Number

Having a phone number linked to your Microsoft account allows you to ‘Reset a forgotten Microsoft account password‘:

Account Verification: When you forget your password or encounter issues accessing your Microsoft account, having a linked phone number allows you to receive verification codes via SMS. This code is a crucial step in password recovery, confirming that you are the legitimate account owner.

Recovery in Emergency Situations: In emergencies where you need urgent access to your account, having a linked phone number allows for a quicker recovery. This is especially important if you rely on it.

Microsoft Account Recovery Email

Because you may lose access to your recovery phone number, it is wise also to add an alternate email address that can be used to recover your Microsoft account in case you have access problems.

Microsoft Account Inheritance Plan

If the value of your Microsoft account is high, you may want to consider passing that value to your loved ones. After all, it would be a pity that all that value is lost if something unexpected happens to you.

Inventory Your Microsoft-Linked Accounts:

– List all online platforms linked to your Microsoft account.

– Include details about associated accounts like YouTube.

Secure Access Information:

– Store your Microsoft account credentials securely.

Designate a Microsoft Account Executor:

– Appoint a trusted person to manage your Microsoft-related digital assets.

– Provide clear instructions on managing YouTube channels, …

Include Microsoft Assets in Legal Documents:

– Update your will to mention your Microsoft account and associated assets explicitly.

– Clearly state your digital executor’s responsibilities regarding Microsoft-related platforms.

Protect Sensitive Microsoft Information:

– Encrypt sensitive files and documents linked to your Microsoft account.

– Share decryption keys or passwords securely.

Regularly Update Your Microsoft Account Plan:

– Review and update access information and preferences regularly.

– Keep your digital executor informed of any changes or updates.

Communication with Loved Ones:

– Inform your loved ones about your Microsoft account plan.

– Share details with the designated digital executor regarding your online presence and monetization strategies.

Backup Important Microsoft Data:

– Regularly back up important files, especially those related to your Microsoft account.

– Specify where backups are stored and how they can be accessed.

Encrypted USB Drive

Protect sensitive information from falling into the wrong hands
GOOD PARCTICES

Microsoft Account Hacked - What To Do Next

If adequate security and safety measures have been taken, there is very little chance of suffering a Microsoft account hack. 

However, knowing what steps to take if a Microsoft account becomes compromised is always good.

Scenario 1 : Victim Still Has Access to the Account

Immediate Password Change:

– Change your account password immediately to secure it from any ongoing unauthorized access.

Enable Two-Factor Authentication (2FA):

– Activate 2FA to add an extra layer of security, preventing unauthorized logins even if the password is compromised.

Review Account Activity:

– Regularly monitor your account activity for suspicious logins, unfamiliar devices, or activities. Check the ‘What is the Recent activity page?‘ page for detailed information.

Microsoft unusual activity

Revoke Access to Suspicious Apps:

– Review and revoke access for any third-party apps or services connected to your account, especially those you don’t recognize.

Update Recovery Information:

– Ensure your recovery email address and phone number are up-to-date. This information is vital for account recovery if needed.

Check for Phishing Attempts:

– Stay vigilant against phishing attempts. Verify the legitimacy of emails or messages related to your account and avoid clicking on suspicious links.

Phishing Scams

Learn about how to identify and prevent Phishing scams.

Scenario 2 : Victim Does Not Access to the Account

Account Recovery:

– Initiate the account recovery process through the page ‘How to recover a hacked or compromised Microsoft account

Verify Identity:

– Follow the verification steps to confirm your identity. This may involve providing information associated with the account.

Change Password Upon Regaining Access:

– Once you regain access, change your password immediately to prevent further unauthorized activities.

Enable Two-Factor Authentication:

– Activate 2FA to secure your account and minimize the risk of future unauthorized logins.

Review and Secure Account:

– Conduct a thorough review of your account settings, including connected devices and third-party app access. Secure your account with updated information.

Check for Phishing or Malicious Activity:

– Examine your emails and messages for potential phishing attempts. Avoid interacting with suspicious links or requests.

Educate Yourself:

– Stay informed about Microsoft’s security features, and educate yourself on best practices to prevent future security breaches.

Has this post been of value to you?

If the answer is yes, and you think that it will be of value to someone else, please share it:

Thanks for sharing,

and promoting crypto safety and digital security.

Please, if you have one more minute, consider leaving us feedback

We would love to hear your opinion.

How do you rank the content of this page?

What kind of information or resources were you looking for?

Is there anything else that you would like to tell us:

– Is there any other topic of your interest that we should cover?

– Is there something we should be aware of?

Please fill out the form below or send us an email to feedback@cryptosafetyfirst.com

This post has been crafted by: