This blog post delves into the processes and technologies involved in managing a mass password reset, in alignment with expert advice from Microsoft Incident Response. We’ll explore the necessity of mass password resets and the specific methods and security measures that Microsoft recommends to effectively safeguard identities. For a more technical explanation, read our Tech Community post.

According to the most recent Microsoft Digital Defense Report, password-based attacks in 2023 increased tenfold over the previous year, with Microsoft blocking about 4,000 attacks per second through Microsoft Entra. This alarming rise underscores the vulnerability of password-dependent security systems. Despite this, too many companies haven’t adopted multifactor authentication, leaving them vulnerable to a variety of cyberattacks, such as phishing, credential stuffing, and brute force attacks. This makes a mass password reset not just a precaution, but a necessity in certain situations.

 

Deciding on a mass password reset

When the Microsoft Incident Response team identifies that a threat actor has extensively accessed a customer's identity system, a widespread password reset may be necessary to re-establish security and prevent further unauthorized access. Initially, we ask the following questions:

  • When should you perform a mass password reset?

  • What challenges might you face during the process?

  • How should you prepare for it?

 

How to manage a mass password reset effectively

In today's world, many of us work from various locations, merging home and office environments. This diversity makes conducting a mass password reset particularly challenging, and the decision isn't always straightforward. Organisations must balance the risk of ransomware and downtime against the disruption to users and the significant strain on IT staff. Here are the two main reasons for mass password resets, along with advanced security measures that a cybersecurity team can implement.

 

User-driven resets

Using Microsoft Entra ID capabilities allows users to change their credentials at their next login. Opting for Microsoft Entra ID can also enhance security through features like Conditional Access, making the reset process both secure and user-friendly. Conditional Access policies evaluate the context of each sign-in attempt, enabling you to configure requirements based on that context—such as requiring users to complete multifactor authentication challenges if they are accessing files from outside the corporate network. Conditional Access policies can significantly enhance security by preventing unauthorised access during the reset process.

 

User-driven resets

 

Administrator-driven resets: Administrator-driven resets are crucial for immediate action, even if they disrupt user access temporarily. Offering self-service password reset (SSPR) options, such as using personal email addresses or security questions, allows users to regain access swiftly. This not only restores access quickly but also reduces the burden on support teams during critical recovery phases. Implementing multi-factor authentication can significantly enhance cybersecurity by adding an extra layer of protection beyond passwords.

 

Advanced security measures: Beyond basic resets: Besides primary reset methods, implementing advanced security measures is crucial to further enhance security. For highly privileged accounts, utilising privileged identity management (PIM) can mitigate risks by providing just-in-time access. PIM offers precise control over privileged accounts, enabling administrators to activate them only when needed, thereby reducing opportunities for attackers to misuse these high-level credentials. 

 

Securing emergency access: Don’t forget to monitor: For critical accounts, manually resetting credentials enhances security. Emergency access accounts should use phishing-resistant authentication methods like FIDO2 security keys and support from the Microsoft Authenticator app. Monitoring these accounts closely is essential to verify their proper emergency use. IT admins can utilise Microsoft Entra ID logs to track login patterns and activities, receiving real-time alerts and promptly responding to any suspicious actions.

 

Resources: