Network News

X My Profile
View More Activity

Hotmail adds account defenses (but one's Windows-only)

Microsoft upgraded the security of its Hotmail Web-mail service on Monday, adding two ways for holders of Hotmail accounts to get back into their accounts after hackers break in. That's a welcome step to address a growing problem.

But one of these account-recovery tools requires you to run Windows and install extra software from Microsoft. That's an unwelcome reminder of Microsoft's less-endearing side.

As a post on Microsoft's Windows Team Blog explained, the company recognizes that the traditional account-security techniques haven't worked well to protect consumer Web-mail accounts from compromise via phishing scams, malware, or password guessing.

John Scarrow, general manager for safety services, noted how often the standard secret-question account-recovery method fails in practice: "For example, only 25% of people with a secret question actually remembered their answer when needed." (Sometimes, an outsider can figure out the "secret" answer on their own.)

Scarrow wrote that Microsoft now automatically scans for signs of compromised accounts in their "login and account activity" and kicks out hijackers if necessary. It also requires that a user use one of the existing "proofs" on their account--for instance, providing the answer to a secret question or confirming their access to the backup e-mail address on record--before adding a new proof or changing any of the existing ones.

And Hotmail now lets users add two other ways to lock down an account.

One catches up to a longstanding feature at Gmail and Yahoo: account recovery by text message. That's a sensible addition--though it's undermined by Microsoft's failure to promise upfront that it will not use your mobile number for any purpose but account recovery. I couldn't find any such promise in its privacy policy, so check your marketing preferences afterwards.

The other security upgrade, "Trusted PC," links your Hotmail account to an individual computer. But where other sites, such as Yahoo, provide machine-specific identification using standard Web techniques, Microsoft requires you to install its Windows Live Essentials software to use this feature.

That suite of programs requires Windows XP Service Pack 2 or a newer release of Microsoft's desktop operating system--and in comments on Scarrow's post, some users complain that they get that error even though they already have Live Essentials installed.

Hotmail didn't prompt me to enable these options when I logged in; I had to look for them on a Windows Live account-overview page. To get there, log into Hotmail, click the triangle to the right of your name at the top right of the page and select Account.

Now that I've spent most of this post critiquing Microsoft's implementation of these security upgrades, I'm going to tell you to use them anyway. I've heard from too many people who lost access to their Web-mail accounts, and they all found it a thoroughly degrading experience. So, please, if you place any value on your Hotmail address, take a minute and enable those features.

Then come back here and tell me what you think of Hotmail's security these days. How much do you trust your Web-mail service to stay under your control?

By Rob Pegoraro  | September 29, 2010; 11:17 AM ET
Categories:  E-mail, Security  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Hulu Plus coming to TiVo, Roku boxes this fall
Next: Gmail lets you cancel its 'conversation view'


Secret questions like favorite book or favorite color.....I would never remember the answer. Wish sites would let me designate my own secret question. Hotmail's "clean sweep" feature requires me to install thanks. Click the first message box, shift, click last box and...delete

Posted by: tbva | September 29, 2010 1:48 PM | Report abuse

How ironic, I just got two emails from two friends with msn accounts...both have been hijacked...sure gonna run right out and wire that $1700 to get each outta the jam in London.

Posted by: tbva | September 29, 2010 2:07 PM | Report abuse

Goodness! All what Microsoft is caring about is making a huge buck by doing what this article says. Not only that, it was the company that hire illegal immigrants. Even though I know my secret password, I still can't get in my email account. This seems to be a FRAUD!

Posted by: Conservativeguy1986 | September 29, 2010 9:38 PM | Report abuse

I learned this idea when a hacker got into one of my email accounts recently.

Fortunately at this point I am able to remember the answers to my secret questions but some of them are pretty easy to answer/guess if you are able to hack my Facebook account or another email address or whatever.

So I never use "What is your mother's maiden name?" or anything like that. I always choose something like "What is your favorite color?" I don't actually give the color though because that could be easy for a hacker to guess. I can only imagine the number of people who love green, blue, or red. Try all three and a hacker is in. Instead I say hmmm, I love the color red, so what is my favorite red thing? I love fire engines! So that's my answer. Fire engines. So far it's worked really well for me. You could do the same thing with just about any of the secret questions they give you.

Posted by: email4 | September 30, 2010 1:45 PM | Report abuse

Heh - gotta be running Windows to get back into your account.

Isn't that mostly why your account was 0wned in the first place?

If you want you account back, try something with beter security than Windows.

Posted by: vdev | September 30, 2010 2:40 PM | Report abuse

Heh - gotta be running Windows to get back into your account.

Isn't that mostly why your account was 0wned in the first place?

If you want you account back, try something with beter security than Windows.

Posted by: vdev | September 30, 2010 2:44 PM | Report abuse

Post a Comment

We encourage users to analyze, comment on and even challenge's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.

characters remaining

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company