July 16, 2011

Hotmail To Require Stronger Passwords

Hotmail users are going to have to be a little more creative when it comes to choosing their passwords, as Microsoft is getting set to ban easy-to-remember, easy-to-crack passwords such as "123456" and "password", according to various media reports on Friday.

According to a July 14 blog post, Dick Craddock, the Group Program Manager for Hotmail, said that the webmail service was prohibiting customers from using one of several common passwords," including the two mentioned above and other common words or phrases like "ilovecats" and "gogiants" as well.

"Having a common password makes your account vulnerable to brute force 'dictionary' attacks, in which a malicious person tries to hijack your account just by guessing passwords (using a short list of very common passwords)," he wrote, noting that while Hotmail "has built-in defenses against standard dictionary attacks"¦ when someone can guess your password in just a few tries, it hardly constitutes 'brute force!'"

The new security measure will be coming soon, according to Craddock. Not only will it prevent new users from selecting one of the flagged passwords when they sign up, but it will also require current Hotmail users who have a common password to change it to something more difficult for hackers to crack.

According to Christopher Williams, Technology Correspondent at the Telegraph, "Strong passwords are long and include a mixture of upper and lower case letters, numbers and other characters. They should not be based on dictionary words or personal information such as birthdays."

Another security measure announced by Craddock this week is a new feature that will allow Hotmail users to easily report if and when they believe one of their friends' accounts has been hacked, resulting in the receipt of spam emails or possible malware. By clicking the new "My friend's been hacked!" button, located under the "Mark As" menu, you can flag the account, which Hotmail will use "to determine if the account in question has in fact been hijacked."

"It turns out that the report that comes from you can be one of the strongest 'signals' to the detection engine, since you may be the first to notice the compromise. So, when you help out this way, it makes a big difference!" Craddock wrote, adding that once the account is marked as compromised, the spammer will no longer have access to it and the next time the actual user logs in, they will be "put through an account recovery flow that helps them take back control of the account."

"What's especially warming about this initiative is that it's not just a Hotmail to Hotmail thing," MSNBC.com's Suzanne Choney quotes Graham Cluley of Sophos Security as writing. "Hotmail is also sharing these notifications with Gmail and Yahoo, which means that you could still be helping a hacked friend even if they don't also use Hotmail. Let's hope we see other web email providers follow Hotmail's lead and offer similar ways for their own users to report possible account compromises."


On the Net: