this post was submitted on 17 Feb 2024
137 points (96.6% liked)

techsupport

2455 readers
7 users here now

The Lemmy community will help you with your tech problems and questions about anything here. Do not be shy, we will try to help you.

If something works or if you find a solution to your problem let us know it will be greatly apreciated.

Rules: instance rules + stay on topic

Partnered communities:

You Should Know

Reddit

Software gore

Recommendations

founded 1 year ago
MODERATORS
 

Like the title says, I’ve got yesterday an email with a code to access my Microsoft account and that made me suspicious because I wasn’t trying to login to my account. When I looked at the login attempts I saw that someone else was trying to access my account, I changed my password, activated TFA. Thinking of going through and buying a physical key like yubico to further secure my account. Any tips are appreciated.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 18 points 8 months ago (4 children)

Happened to me too yesterday. Gave me a big bump to my evening plans. Luckily I too have 2fa activated via 2 different systems {SMS AND second Mail address). They cracked my randomly generated password - which doesn't surprise me that much, brute force cracker are pretty effective nowadays.

What bums me is that I used this as an argument to teach a friend but he just used the same ol' reliable "naah, I'm too lazy". Can't change him, just told him to think about using 2fa everywhere money is involved. The rest is up to him.

What's also pretty bad from MS is that yes you can use several different mailadresses but no you can't prevent that all of them can be used as login. One is compromised but also used for mail traffic so I can't just delete it. But also can't prevent it from logging in to the account. Thanks MS..

[–] [email protected] 45 points 8 months ago (2 children)

They cracked my randomly generated password - which doesn't surprise me that much, brute force cracker are pretty effective nowadays.

I'm actually surprised that it'd be feasible to use a brute force approach to gain access to an online account. I would expect them to hit some kind of rate-limiting long before they'd find the correct password

[–] [email protected] 15 points 8 months ago* (last edited 8 months ago)

Brute force attacks are usually done offline, where the attacker somehow gets a copy of a database of hashed passwords and they can take as many attempts as they want locally before they get a hit and can try it online.

[–] [email protected] 3 points 8 months ago

Looking at my history, they're hours or a day apart. Probably no chance of getting into any halfway decent password that way, but if they can automate it with thousands of different email addresses, eventually they'd get an account with a weak password and get in.

[–] [email protected] 10 points 8 months ago

I appreciate when commenters end their first paragraph with bullshit so you don’t have to read any farther. I’d love to hear how you think they cracked your randomly generated password via brute force against Microsoft.

[–] [email protected] 8 points 8 months ago* (last edited 8 months ago) (2 children)

Hey so you actually can make it so an email address doesn't log into the account, it's how I stopped one particularly persistent hacking attempt when they finally managed to crack my password but were stopped by 2fa. Go to your profile > account info > sign in preferences, then as long as you have an alias email on the account you can deselect ones that you don't want to be able to be used as a log-in.

[–] [email protected] 3 points 8 months ago

With Microsoft I couldnt figure out how to enable 2fa against minecraft. Seems they do not have 2fa of any kind there and that is linked to your microsoft account. I guess the permissions there are just for minecraft, but if I was a betting man, I would venture there is a big hole there.

[–] [email protected] 0 points 8 months ago

Oh, really?! Okay gonna try that, thanks for the Tipp!

[–] [email protected] 4 points 8 months ago (1 children)

What kind of randomly generated password did you have that was crackable? I usually use 30 characters completely random string. If that’s crackable, maybe I need to rethink things.

[–] [email protected] 1 points 8 months ago

Stupidly just 12 random characters. I was too naive and hoped that'll be it.