WinnCad Elements Blog: No more '123456' passwords for Hotmail users

Scratch "123456" and "password" as your Hotmail password choices. They're not going to work anymore, says Microsoft, which says it is going to forbid users of the email program from choosing such passwords in an attempt to bolster security.

"We will now prevent our customers from using one of several common passwords" to prevent email accounts from being hijacked, wrote Dick Craddock, Hotmail group program manager, on a Microsoft blog.

"Having a common password makes your account vulnerable to brute force 'dictionary' attacks, in which a malicious person tries to hijack your account just by guessing passwords (using a short list of very common passwords). Of course, Hotmail has built-in defenses against standard dictionary attacks, but when someone can guess your password in just a few tries, it hardly constitutes 'brute force.' " (Msnbc.com is a joint venture of Microsoft and NBC Universal.)

Craddock said common passwords "are not just 'password' or '123456' (although those are frighteningly common), but also include words or phrases that just happen to be shared by millions of people, like 'ilovecats' or 'gogiants.' "

Hotmail's new password feature will be "rolling out soon," he said. And, if "you're already using a common password, you may, at some point in the future, be asked to change it to a stronger password." (For other password tips, read ESET researcher Paul Laudanski's blog, "No chocolates for my passwords please!")

Microsoft

The change is needed, because account hijacking is a "big problem," Craddock said. Weak passwords are part of the issue; another is when a user's account is hijacked, "their friends often find out before they do, because the hijacker uses their account to send spam or phishing email to all their contacts."

And if you wind up getting such an email from someone who has hijacked a friend or contact's email, you may let them know directly, but Hotmail now is also making it easier for you to report it directly to Hotmail, by adding a "My friend's been hacked" option on the drop-down, "Mark As" menu.

"You can also report an account as compromised when you mark a message as junk or otherwise move a message to the Junk folder," Craddock wrote.

If you report a friend's account has been compromised, Hotmail "takes that report and combines it with the other information from the compromise detection engine to determine if the account in question has in fact been hijacked," he said. "It turns out that the report that comes from you can be one of the strongest 'signals' to the detection engine, since you may be the first to notice the compromise. So, when you help out this way, it makes a big difference."

"What's especially warming about this initiative is that it's not just a Hotmail to Hotmail thing," wrote Sophos Security's Graham Cluley. "Hotmail is also sharing these notifications with Gmail and Yahoo, which means that you could still be helping a hacked friend even if they don't also use Hotmail. Let's hope we see other web email providers follow Hotmail's lead and offer similar ways for their own users to report possible account compromises."

Once a Hotmail account is marked as compromised, it can no longer be used by a spammer. That's the good news. The less-good news is that the real account-user is "put through an account recovery flow that helps them "take back control of the account," Craddock said.

Hotmail also would like users to provide "proofs," which include "an alternate email address, a question and secret answer, and, even a mobile number where we can reach you via text message."

To learn more about account proofs, check here.
All of this can be a time-consuming and annoying process. But it's far less annoying than having your account hijacked.

Hotmail Hack 2010