Have you been pwned? Here’s how to update your Microsoft password(s) and upgrade your security

The word ‘pwned’ (pronouned pōn’d) was more present in written works around 1800, likely because of typos due to the proximity of “p” to “o” on keyboards. We know it in a modern context as an actual term, reclaimed by video game communities to mean utterly defeating an opponent (Dude, you got pwned!) or in cyber-security conversations meaning an unwelcome party gained ownership of your credentials through a data breach or hack.

The appearance of ‘pwned’ in written works from 1800-2008. Source: Google Books Ngram Viewer

With data breaches and hacker activity being more prevalent, it’s more important than ever to protect yourself and your information from being pwned.

Have I been pwned?

There are several free ways to find out if you’ve been included in a data breach or credential publishing.

  • HaveIBeenPwned.com lets you enter your email address to see which breaches you were discovered in (if any)
  • CreditKarma.com has identity monitoring for the email address you used to register. It’s a free service, and will tell you if you email address surfaced in any breaches or credential leaks and any associated passwords. Go to Resources –> Identity Monitoring
  • LastPass.com’s Security Score will show you specifically which sites have been compromised so that you can change those specific passwords. It’ll also help you fix the “duplicate password” issue where you use the same password for everything AKA one data breach gives bad actors access to all your stuff.

What’s a secure password?

UseAPassPhrase.com demonstrates that pass phrases (not passwords) are significantly more secure than traditional abc123! type passwords. The site will tell you how long it would take hackers to figure out (crack) your password using bots.

  • The typical password requirements you’ll find might have you make a password like ‘sPlib197!’ which will only take 149 days to crack.
  • While phrases are generally more secure, you have to be careful to select a phrase that is NOT logical in structure. For example, a logical sentence like ‘I love kitties!’ would take 18 days to crack. But illogical collections of words like ‘stopping plots argument received’ would take 467,000 centuries to crack. Throw in a capital letter and a special character and you’re set for a few lifetimes.

How to update your Microsoft passwords

Personal accounts

1. Log in at account.microsoft.com

2. Click on Security

3. Click Change Password and follow prompts

Work or school accounts

Note: Your organization may have a different method for updating your password. This is the general, out-of-the-box update method:

1. Go to portal.office.com/account/

2. Click on “Security & Privacy” then “Password”

3. Follow prompts

Upgrade your security (enable two-factor authentication)

Two-step, or multi-factor, authentication helps guarantee it’s actually you logging into one of your sites. You’ll find this security option on all kinds of services including Google (gmail), Microsoft (outlook), and your banking sites. I highly recommend setting this up on every site you’re able to.

What is it? Basically, when you attempt to login using your credentials as usual (or someone who stole your data is attempting to log in as you), you’ll either use the Microsoft Authenticator App to approve a login from your mobile device or you’ll receive a text code to enter into a prompt to show that not only do you know your credentials, but you acknowledged the login from a phone number or mobile device you registered.

Personal accounts

1. Log in at account.live.com/proofs/manage/additional

2. Select “Set up two-step verification” (learn more about two-step verification)

3. Follow the prompts to device’s number as an additional layer of security

4. Return to the same URL in step 1 and click “Set up identity verification app” which will have you install the Microsoft authenticator app on your phone. When someone attempts to log in using your credentials, you’ll get a push notification to approve or reject the attempt before they’re allowed access. (learn more about using the authenticator app)

5. Follow the prompts to install and activate the app

Work or school accounts

You administrator handles the setup of multi-factor authentication. This article does a great job of explaining how to enable it for your users.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.