Password-hacking attacks are on the rise. Here's how to stop your accounts from being stolen

Passwords are a common target for hackers, but many of us still aren't doing the basics to help protect our accounts. Here's what to do.
Written by Danny Palmer, Senior Writer
Image: Getty/MoMo Productions

Cyber crooks are making almost 1,000 attempts to hack account passwords every single second – and they're more determined that ever, with the number of attacks on the rise.

The figures come from Microsoft's Digital Defense Report 2022 and are based on analysis of trillions of alerts and signals collected from the company's worldwide ecosystem of products and services.  

It warns that cyberattacks are on the rise, with account passwords still very much the main target of hackers – particularly as many accounts are vulnerable because they lack any additional layers of protection beyond the password itself to help keep them secure. 

According to Microsoft, the volume of password-based attacks has risen to an estimated 921 attacks every second – representing a 74% increase in just one year for what's the primary method through which accounts are compromised. 

Also: A security researcher easily found my passwords and more: How my digital footprints left me surprisingly over-exposed

Attacks against passwords include brute force attacks attempting to crack simple or common passwords, attackers attempting to use leaked usernames and passwords to access other accounts owned by the victim, and phishing attacks designed to dupe victims into handing over their login credentials. 

The report suggests that 90% of accounts that get hacked aren't protected by 'strong authentication' – meaning that the vast majority of accounts that get breached only have one layer of protection as opposed to having an additional layer of multi-factor authentication (MFA) for added verification. 

But according to figures from Microsoft, the number of accounts protected by MFA remains low, even for administrator accounts, with under one in three protected with an additional layer of authentication – although the number of accounts protected in this way is slowly rising. 

Nonetheless, while there's been an increase in accounts with additional layers of protection, many remain vulnerable to attackers who can exploit compromised accounts to conduct harmful activity, including stealing sensitive data, conducting business email compromise attacks, deploying malware, launching ransomware attacks, and more.

"Many cyberattacks are successful simply because basic security hygiene has not been followed," said Microsoft – and the company urges organizations and users to apply minimum standards to help protect accounts as even basic security hygiene still protects against 98% of attacks.    

This includes protecting accounts with MFA, so if a password is hacked, the attacker will struggle to access the account without the user being made aware that something is wrong – although even MFA isn't infallible.

It's also recommended that zero-trust cybersecurity principals are applied across networks and devices, so it's difficult for an attacker to gain full access to systems with a single login using a compromised account. 

Software, applications and operating systems should also be kept up to date with the latest security patches in order to prevent cyber attackers from exploiting known vulnerabilities to access and hide malicious activity on networks. 

And in the event of suspecting that your password has been hacked, you should change it immediately – and consider using a password manager to help ensure each of your accounts is secured with a password that's both strong and unique to help protect your data from hackers. 


Editorial standards