{"id":134598,"date":"2024-06-12T09:00:00","date_gmt":"2024-06-12T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=134598"},"modified":"2024-06-10T10:24:06","modified_gmt":"2024-06-10T17:24:06","slug":"microsoft-incident-response-tips-for-managing-a-mass-password-reset","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/06\/12\/microsoft-incident-response-tips-for-managing-a-mass-password-reset\/","title":{"rendered":"Microsoft Incident Response tips for managing a mass password reset"},"content":{"rendered":"
\n\t
\n\t\t

\n\t\t\tExplore how effective incident response helps organizations detect, address, and stop cyberattacks\t\t<\/p>\n\t\t\n\t\t\tLearn more<\/span> <\/span>\n\t\t<\/a>\n\t<\/div>\n<\/div>\n\n\n\n

As part of any robust incident response plan, organizations often work through potential security weaknesses by responding to hypothetical cyberthreats. In this blog post, we\u2019ll imagine a scenario in which a threat actor uses malware to infect the network, moving laterally throughout the environment and attempting to escalate their admin rights along the way. In this hypothetical scenario, we\u2019ll assume containment of the incident requires a mass password reset.<\/p>\n\n\n\n

Despite technological advances, many organizations still depend heavily on passwords, making them vulnerable to cyberthreats. During a ransomware attack, the need for mass password resets becomes urgent. Unfortunately, admins can quickly become overwhelmed, burdened with the daunting task of resetting passwords for countless users across multiple connected devices. The surge in help desk calls and service tickets as users face authentication issues on multiple fronts can significantly disrupt business operations. But it\u2019s imperative to secure all digital access points to swiftly mitigate risks and restore system integrity. So how do we manage a mass password reset while minimizing disruption to users and the business?<\/p>\n\n\n\n

This blog post delves into the processes and technologies involved in managing a mass password reset, in alignment with expert advice from Microsoft Incident Response<\/a>. We\u2019ll explore the necessity of mass password resets and the specific methods and security measures that Microsoft recommends to effectively safeguard identities. For a more technical explanation, read our Tech Community post<\/a>.<\/p>\n\n\n\n

Surge in password-based cyberattacks<\/h2>\n\n\n\n

According to the most recent Microsoft Digital Defense Report, password-based attacks in 2023 increased tenfold over the previous year, with Microsoft blocking about 4,000 attacks per second through Microsoft Entra<\/a>.1<\/sup> This alarming rise underscores the vulnerability of password-dependent security systems. Despite this, too many companies haven’t adopted multifactor authentication<\/a>, leaving them vulnerable to a variety of cyberattacks, such as phishing, credential stuffing, and brute force attacks. This makes a mass password reset not just a precaution, but a necessity in certain situations.<\/p>\n\n\n\n

Deciding on a mass password reset<\/h2>\n\n\n\n

When the Microsoft Incident Response team determines a threat actor has had extensive access to a customer\u2019s identity plane, a mass password reset may be the best option to restore environment security and prevent unauthorized access. Here are a few of the first questions we ask:<\/p>\n\n\n\n