Microsoft pushes out strong password rule and claims that it has collected thousands of hijacked account notifications

News by Dan Raywood

Microsoft is to change its password policy to forbid the use of particularly common passwords.

Microsoft is to change its password policy to forbid the use of particularly common passwords.

Dick Craddock, group program manager at Hotmail, said that a new feature will prevent users from using one of several common passwords, such as ‘password' or ‘123456', as well as words or phrases that just happen to be shared by millions of people, such as ‘ilovecats' or ‘gogiants'.

He said: “This new feature will be rolling out soon and will prevent you from choosing a very common password when you sign up for an account or when you change your password. If you are already using a common password, you may, at some point in the future, be asked to change it to a stronger password.

“Of course, having a strong password is just one step to protecting your account. You should also provide ‘proofs', including an alternate email address, a question and secret answer and a mobile number where we can reach you via text message.”

The rollout follows on from another new feature where users can report a friend's account as having been compromised. “When you get a spam message supposedly from your friend, you just click ‘My friend's been hacked!' on the ‘Mark as' menu. You can also report an account as compromised when you mark a message as junk or otherwise move a message to the Junk folder,” Craddock said.

“When you report that your friend's account has been compromised, Hotmail takes that report and combines it with the other information from the compromise detection engine to determine if the account in question has in fact been hijacked.

“Once we mark the account as compromised, two things happen: the account can no longer be used by the spammer; and when your friend attempts to access their account, they're put through an account recovery flow that helps them take back control of the account.”

Craddock claimed that since the feature was released, thousands of reports of compromised accounts have been received. It has also worked with Yahoo! and Gmail to enable their users to use the reports in their own systems to recover hacked accounts.

Stephen Howes, founder and CTO of GrIDsure, told SC Magazine that he welcomed the move but said that in an effort to try and make things more secure usability is being sacrificed and security is compromised.

He said: “People are simply not capable of remembering strong passwords, the more you make something complicated the more people will find ways of making things easier for themselves. Keep it simple and people will tend to comply, make it difficult and they will find a way round it. It is human nature.

“The answer therefore is an authentication solution which gives you strength and security but keeps it simple for the end user so that he stays within the compliance threshold.”

Graham Cluley, senior technology consultant at Sophos, said: “Let's hope we see other web email providers follow Hotmail's lead and offer similar ways for their own users to report possible account compromises. After all, minutes matter if your email account has been breached. The longer an account is under the control of malicious hackers, the more harm that can be done.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews