Microsoft Bans Weak Passwords On Hotmail

Hotmail users will be prevented from using easy-to-guess passwords, to protect against dictionary attacks

Microsoft has announced it is banning Hotmail users from using common passwords, such as “password” or “123456”, that are very easy for hackers to guess.

“Having a common password makes your account vulnerable to brute force ‘dictionary’ attacks, in which a malicious person tries to hijack your account just by guessing passwords,” wrote Hotmail program manager Dick Craddock in a blog post. “Of course, Hotmail has built-in defenses against standard dictionary attacks, but when someone can guess your password in just a few tries, it hardly constitutes ‘brute force!’”

Hotmail users who are already using common passwords may, at some point in the future, be asked to change them to make them stronger, added Craddock.

Increased webmail protection

The change is part of a raft of new security features designed to improve account protection for webmail users. These include a new option for Hotmail account holders to flag up when their friends’ accounts have been compromised by spammers. The “Mark as” drop-down menu now includes the option: “My friend’s been hacked!”

Microsoft is also urging Hotmail users to provide “proofs,” including an alternate email address, a question and secret answer, and even a mobile number where the company can reach them via text message.

The news follows several high-profile hacks, in which email addresses and passwords have been compromised. Analysis of the passwords compromised in the Gawker Media hack late last year found the most common to be “123456” and “password”. Other common terms included “monkey”, “qwerty”, “consumer” and “lifehack”.

Meanwhile, in April this year, hacker group LulzSec stole account information of up to 77 million users on the PlayStation Network and Qriocity. A week later the company admitted that the Sony Online Entertainment gaming service had also been breached, affecting an additional 24.6 million users.

According to security firm Sophos, 33 percent of computer users use the same password for all their online accounts, and nearly half (48 percent) have a handful of options. Only 19 percent use different passwords for every website they sign up to.

“Once one password has been compromised, it’s only a matter of time before the fraudsters will be able to gain access to your other accounts and steal information for financial gain,” warned Sophos senior technology consultant Graham Cluley in December. “Password security is becoming more important than ever. Make sure that you’re taking the issue seriously, or suffer the consequences.”

Google two-step verification

Earlier this year, Google added two-step authentication to a variety of its accounts, such as the basic Google account and its Gmail services. According to Google product manager Nishit Shah, the opt-in security feature makes Gmail accounts significantly more secure.

The two-step authentication process will involve the user’s password plus a code sent to a phone number the user provides. Once it is set up, when users enter their password they will also be prompted to enter a code provided by Google.