Have you been pwned? Here’s how to update your Microsoft password(s) and upgrade your security

The word ‘pwned’ (pronouned pōn’d) was more present in written works around 1800, likely because of typos due to the proximity of “p” to “o” on keyboards. We know it in a modern context as an actual term, reclaimed by video game communities to mean utterly defeating an opponent (Dude, you got pwned!) or in cyber-security conversations meaning an unwelcome party gained ownership of your credentials through a data breach or hack.

The appearance of ‘pwned’ in written works from 1800-2008. Source: Google Books Ngram Viewer

With data breaches and hacker activity being more prevalent, it’s more important than ever to protect yourself and your information from being pwned.

Have I been pwned?

There are several free ways to find out if you’ve been included in a data breach or credential publishing.

  • HaveIBeenPwned.com lets you enter your email address to see which breaches you were discovered in (if any)
  • CreditKarma.com has identity monitoring for the email address you used to register. It’s a free service, and will tell you if you email address surfaced in any breaches or credential leaks and any associated passwords. Go to Resources –> Identity Monitoring
  • LastPass.com’s Security Score will show you specifically which sites have been compromised so that you can change those specific passwords. It’ll also help you fix the “duplicate password” issue where you use the same password for everything AKA one data breach gives bad actors access to all your stuff.

What’s a secure password?

UseAPassPhrase.com demonstrates that pass phrases (not passwords) are significantly more secure than traditional abc123! type passwords. The site will tell you how long it would take hackers to figure out (crack) your password using bots.

  • The typical password requirements you’ll find might have you make a password like ‘sPlib197!’ which will only take 149 days to crack.
  • While phrases are generally more secure, you have to be careful to select a phrase that is NOT logical in structure. For example, a logical sentence like ‘I love kitties!’ would take 18 days to crack. But illogical collections of words like ‘stopping plots argument received’ would take 467,000 centuries to crack. Throw in a capital letter and a special character and you’re set for a few lifetimes.

How to update your Microsoft passwords

Personal accounts

1. Log in at account.microsoft.com

2. Click on Security

3. Click Change Password and follow prompts

Work or school accounts

Note: Your organization may have a different method for updating your password. This is the general, out-of-the-box update method:

1. Go to portal.office.com/account/

2. Click on “Security & Privacy” then “Password”

3. Follow prompts

Upgrade your security (enable two-factor authentication)

Two-step, or multi-factor, authentication helps guarantee it’s actually you logging into one of your sites. You’ll find this security option on all kinds of services including Google (gmail), Microsoft (outlook), and your banking sites. I highly recommend setting this up on every site you’re able to.

What is it? Basically, when you attempt to login using your credentials as usual (or someone who stole your data is attempting to log in as you), you’ll either use the Microsoft Authenticator App to approve a login from your mobile device or you’ll receive a text code to enter into a prompt to show that not only do you know your credentials, but you acknowledged the login from a phone number or mobile device you registered.

Personal accounts

1. Log in at account.live.com/proofs/manage/additional

2. Select “Set up two-step verification” (learn more about two-step verification)

3. Follow the prompts to device’s number as an additional layer of security

4. Return to the same URL in step 1 and click “Set up identity verification app” which will have you install the Microsoft authenticator app on your phone. When someone attempts to log in using your credentials, you’ll get a push notification to approve or reject the attempt before they’re allowed access. (learn more about using the authenticator app)

5. Follow the prompts to install and activate the app

Work or school accounts

You administrator handles the setup of multi-factor authentication. This article does a great job of explaining how to enable it for your users.

What’s your password security score?

Once you’ve added your passwords to LastPass, you’re able to check your “Security Score” which combines your individual passwords’ strength, your LastPass master password’s strength and your ranking compared to others.

Once it runs through all of your saved credentials, it’ll provide you with your score, your standing compared to others and your master password score:

You can improve your score by changing duplicate passwords, reviewing those that are known to have been compromised, strengthening those that are too weak, or haven’t been changed in a long time.

From the list they provide, you can auto-change passwords on some sites (it’ll generate secure passwords, update your profile on that site, and then update LastPass for you). Others you can launch the site from within LastPass to change your password manually.

This has helped me to cut way back on my duplicate passwords and I’ve created much more secure, and unique, passwords using LastPass. Start with a free trial, and after that it’s only $2/month. Well worth it in my opinion.

Also, if you’re using other solutions to store passwords, I’d recommend cutting back and choosing one central (and encrypted) solution. The more you multiply your passwords across various services that you use on multiple devices and networks, the more you increase your risk of being hacked.

Read more about how I deleted synced passwords from Google.

Forget my password, Google!

After having my identity stolen a couple weeks ago by someone who went on a Twitch spree, I decided to get more serious about my password security.

Having a Google Pixel XL, it was easy to say “yes” every time I was prompted to save a password. And being a Chrome user, I only kept adding to the Google vault. In no time, I had saved 200 passwords.

I’m not saying anything here about Google’s security (I can only assume it’s sufficient), but I am saying you should consider the number of times you perform the “save my password” action. Multiply it a few times (Google, Edge, IE, Chrome, Norton, etc.), acknowledge that those vaults are then shared across devices, and those devices are used on several wireless networks where we don’t necessarily control security.

Also – if you repeatedly use the same password, your risk goes up exponentially. Suddenly a breach of one password is access to any number of services.

Assess your regular risk

Multiply your devices by the number of password storage solutions and then again by the number of internet access points you access and you’ll see the level of risk which with you regularly work. Imagine adding the number of passwords you’ve saved into this equation.

So safe or not, having multiple tools doing the same thing on multiple wireless networks makes no sense and increases risk simply by multiplying the amount of credentials you have stored across the virtual globe and being accessed while at, say, Starbucks.

So my cleanup began. I decided to sign up for a trial of LastPass which I had heard a lot about, and that trial turned into a subscription. I love it and won’t be turning back. Then I set to work removing password storage from all other services. Follow these directions to have Google forget your passwords so you can also consolidate your credential storage to a single source and be more secure.

From LastPass.com

To improve your security and start trimming down your exposure opportunities specific to Google, you can:

  • Delete individual passwords one-by-one (gives you a chance to see them and save elsewhere if needed)
  • Delete all synced data stored by Google including passwords
  • Delete data from individual Chrome browsers

Delete individual passwords synced across all devices

(not specific to one device’s browser)

  1. Login to passwords.google.com and click “See options”
  2. Toggle off the “offer to save passwords” and “auto sign-in” options
  3. Select one, optionally show and save the password elsewhere, then Delete and OK

Delete ALL synced data from Google servers

(doesn’t delete from individual devices)

This includes:

  • Apps
  • Extensions
  • Settings
  • Autofill
  • History
  • Themes
  • Bookmarks
  • Passwords
  • Open Tabs

Please note this only stops the sync, but doesn’t delete from individual devices. After this you’ll need to make sure you also 

  1. Log in to chrome.google.com/sync
  2.  Scroll to the bottom and click “Reset sync”
  3. Click OK

Delete browsing and saved data from individual Chrome browsers

This isn’t unlike clearing any browser’s history. It’s a good practice to clear browser history regularly on all browsers.

  1. In Chrome, go to chrome://settings/clearBrowserData
    Click the ellipses menu in the upper right of Chrome –> More tools –> Clear browsing data
  2. Click the “Advanced tab”
  3. Change time range to “All time”
  4. Check all boxes
  5. Clear data