Microsoft Windows Live Hotmail is introducing a new security feature that I personally feel should be used on every Website and Web app as default – banning weak passwords (those that can be easily guessed) such as “password”, “123456”, “ilovecats” and “god” are perfect examples. I understand that Redmond will be prompting users to change a weak password in the future, so if you want a weak, unsafe Hotmail account, now is the time to create an account! Only joking…
So what is Microsoft going to do? Microsoft will only prevent new Hotmail users and people changing their login details from using weak passwords. Microsoft has also added a smart Hotmail tool that lets users tell Microsoft when a friend’s account might have been hacked. The feature is called “My friend has been hacked” – I don’t think Gmail or Yahoo! provide this feature right now.
TIP: Don’t use the same password for multiple Websites or Web apps 🙁
Where to look – Look at the “mark as” menu in Hotmail which now contains a “My friend has been hacked” classification, similar to “Mark as spam”. When a users reports that a friend my have been possibly hacked, it sends an alert to Microsoft, and their detection engine then runs a scan of the account and begins the automatic recovery process in order for the original Hotmail owner to take back control of their account. Some say this might be too late and the ‘hacked’ account users have potentially moved to another Web email service i.e. Gmail. Possible. But I really like the thinking behind this security feature. – makes the process more proactive than reactive.
Why you should be worried – Brute-force dictionary, pattern checking and word list substitution password attacks are common place among the cracking fraternity (this is basic stuff for crackers) – the brute-force technique which uses a software program (script) is about one thing – guessing the password, using a short list of common passwords). It takes a matter of seconds to crack a password using the techniques listed above. 🙁
Microsoft have confirmed that thousands of customers who were identified as having their accounts hacked have now reclaimed owndership of their accounts. I do like good endings. 🙂 Ok readers, solution, lets all check our password strength right now – no excuses please!
Safe surfing folks!