Network News

X My Profile
View More Activity

Trove of Hotmail Passwords Posted Online

If you use Microsoft's free Hotmail service, it may be time to change your password: Microsoft said Monday that several thousand Hotmail account credentials were posted online over the weekend.

In a statement posted to its Windows Live Spaces blog, Microsoft said the company has determined that the data spill was not the result of a breach of internal Microsoft data, but rather was likely the haul from a phishing scheme.

Microsoft said it is taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts. Microsoft said users who believe their information was documented on the illegal list (i.e., you have reason to believe you may have recently fallen for a Hotmail phishing scam) can reclaim access to their accounts by filling out this form.

October being Cyber Security Awareness Month and all, it's probably a good idea to remind readers about password best practices, particularly as they relate to Webmail accounts.

-Make sure you have set up an alternate e-mail address for your account. Most free Webmail providers, including Hotmail, Gmail and Yahoo! offer this feature, which is usually accessible under the user account settings. This way, even if someone does manage to steal your password, you can reset it by having the "reset your password" link sent to an alternative e-mail inbox. This is especially useful should you find yourself in the unenviable position of having your Hotmail inbox held hostage and being subjected to extortion in order to regain access to it (see Your Money or Your E-mail)

-Avoid using your e-mail password as your password at other sites. If that other site gets hacked, not only do the attackers know your e-mail address, but they now also have your e-mail password. That said, many online forums that require you to pick a password and user name, and I think it's generally okay to use the same password at multiple forums, provided said forums don't store personal or financial data about you.

-Several high-profile Webmail account password compromises have succeeded because victims picked easily-guessed answers for their "secret question and answer" pair that many sites use as a password reset security feature. Often, the questions request personal information that may not be terribly secret in this age of social networking and online consumer databases. If you have the choice, create your own unique question and answer. If you must pick from a preexisting list of questions, consider choosing a bogus answer that makes you laugh and has special meaning for you (you're more likely to remember a false answer this way).

-DO NOT use your user name as your password.

-Don't use easily guessed passwords, such as "password."

-Do not choose passwords based upon details that may not be as confidential as you'd expect, such as your birth date, your Social Security or phone numbers, or names of family members.

-Create unique passwords that that use some combination of words, numbers, symbols, and both upper- and lowercase letters. One way to forge strong, memorable passwords is to use the first letter from each word of a favorite phrase, book or movie. For example, "The ratio of people to cake is too big," could be "Troptcitb," a fine and fun password (especially if you include the capitalization).

-If you need to write down your passwords, consider storing them in a password vault that encrypts the information, such as Password Safe, Keypass, or Roboform. Mac users have this functionality built into the operating system in Keychain, which consolidates a user's passwords in one place and makes them accessible via a master password or passphrase.

Update, Oct. 6, 1:15 p.m. ET: News of these stolen passwords was originally reported by Neowin.net, which said that some 10,000 Hotmail account credentials had been briefly posted online. Web application security vendor Acunetix says it managed to get hold of that file while it was up on the Web, and has done some interesting analysis of the most common passwords.

By Brian Krebs  |  October 5, 2009; 9:26 PM ET
Categories:  Latest Warnings , Safety Tips  | Tags: hotmail, microsoft, password safety, phishing  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: DHS Seeking 1,000 Cyber Security Experts
Next: Zeus Trojan Infiltrates Bank Security Firm

Comments

Ah hahahahahhahahahahahha, Why am I not surprised at this news. A safe windows operating system or any microsoft program will never be safe.
Why you may ask?
1.) Because like the United States Government, they have pissed off too many people around the world.
2.) People around the world think they know what they are downloading or accessing but are really ignorant and will always send viruses, and other worm, trojens, ect.. to all their friends and co-workers.
3.) There are some types of people that get off on screwing with others, even if they don't know who they are, they do get the feedback about what they have accomplished. Your news article is exactly what they need to validate their poor existance.
Thanks, I needed a good laugh!

Posted by: nocroman | October 6, 2009 12:29 AM | Report abuse

Nocroman.... um... I'm gonna take a stab here, and say you didn't read the article. While I'm no Microsoft loyalist, if you're going to be a hater, you should at least, oh I dunno, not look like a fool. To wit:

"...the company has determined that the data spill was not the result of a breach of internal Microsoft data, but rather was likely the haul from a phishing scheme."

Of ALL the things you can blame on Microsoft, human foolishness is not one of them.

Posted by: conspirator5 | October 6, 2009 1:07 AM | Report abuse

conspirator5, why are so many people so gullible as to swallow any story which Microsoft spins? How do they know which accounts to block if this was an external phishing scheme? Sounds more like a sewage spill from the Windows cesspool.

Posted by: macbilton | October 6, 2009 2:13 AM | Report abuse

macbilton, do you suppose that Microsoft could have read the published list to find out which accounts might have been compromised and should be blocked?

Posted by: dstepaniak | October 6, 2009 2:33 AM | Report abuse

dstepaniak, why do you think Microsoft can get their hands on this list any sooner than anyone else, and why do you think that it's a complete list?

Really the only answer is to CHANGE YOUR PASSWORD, NOW! Once you change it, you are safe again. If someone else has already changed it on you, then you need to talk to Microsoft.

You also might want to think about changing your browsing habits: ALWAYS punch in the URL for your email by hand. NEVER let the system store your password. ALWAYS double-check the URL before you type your credentials.

Mass-disabling email accounts is disruptive, not a solution to the problem, and just makes the hackers feel very proud that they caused so much inconvenience.

Posted by: frantaylor | October 6, 2009 3:39 AM | Report abuse

frantaylor,
First of all what would lead you to believe that Microsoft did get the list before anybody else did or that it was a complete list of compromised accounts? Nothing in the article suggests that either is the case, nor did I. I simply pointed out that Microsoft was able to establish that at least those accounts had been compromised since the list had been publicly published online.

I agree that all precautions should be taken by users including changing of their passwords. As a network administrator I know from first hand experience that unfortunately not all will do anything about it. That leaves many users vulnerable and if something bad does happen guess who the user will blame for not doing enough to protect them. It also provides possible spam relays and there is already more that enough of that nonsense going on now thank you very much.

While disabling the accounts is inconvenient and disruptive, I believe the possible consequences of the alternative of relying entirely on the user are worse. While you may be a very conscientious and alert user there are many who are not. And unfortunately as administrators we have to do things sometimes that are inconvenient and disruptive to protect the system as a whole. If the network at your company is in any way breached, one of the first things that your administrator should do is require all passwords to be changed. While disruptive and inconvenient it is prudent.

Posted by: dstepaniak | October 6, 2009 5:11 AM | Report abuse

I don't believe for a second that MicroSoft likes this or are indifferent to it.
I think they try and make their software secure but the problem is there's always a way to breach any security measure given enough time.

We seem to be in the habit of blaming the victims of crime for the injustices perpetrated against them in this country.

It's the criminals fault, not the victims.
No matter how much you all dislike the very wealthy, we build on their foundations to make progress.

Posted by: Thozmaniac | October 6, 2009 5:16 AM | Report abuse

Soapbox time.... Passwords are inadequate security. They're used because they're cheap. Proper security requires two out of three: what you know, what you have, what you are. So a password (know) and a card (have) is good. A card (have) and fingerpring (are) is good.

Passwords alone are no good. And phishing, getting you to cough up your password, is impervious to the "good password" criteria that Mr Krebs suggests.

I have a "brute force" program that cracks word passwords. It starts with single characters and keeps building until it finds the right one. Up to 8 characters breaks in minutes.

If password is all you get, make it long. Out of dictionary is good. Yes, "briankrebs" is a bad password but "brian!krebS" is unguessable. Especially if it's my password. :)

Posted by: MAL9000 | October 6, 2009 6:57 AM | Report abuse

Given Microsoft's financial contributions to libertarian "think tanks" like Cato and the Pacific Research Institute, who can say how safe or trustworthy is anything with Microsoft's name attached to it?

The libertarian viewpoint is "Every man for himself." It is troubling that Microsoft shares those sentiments.

Posted by: WhatHeSaid | October 6, 2009 7:07 AM | Report abuse

Does HotMail still run on FreeBSD? Or did MS migrate it to Windows?

I can't keep track of all the sites I use that require passwords, so I have a text file with all the passwords in it. Or, rather, the list of variations on the "default" password. Reads something like:
"WaPO, usual user, usual pass
bank: usual user, usual pass, 1 for i, 0 for o, 4 for a,$ for s."

Posted by: wiredog | October 6, 2009 8:51 AM | Report abuse

>I have a "brute force" program that cracks word passwords. It starts with single characters and keeps building until it finds the right one. Up to 8 characters breaks in minutes.

> If password is all you get, make it long. Out of dictionary is good. Yes, "briankrebs" is a bad password but "brian!krebS" is unguessable. Especially if it's my password. :)

You shouldn't get more than 3 tries in a proper security environment. Then you get locked out

Posted by: GWGOLDB | October 6, 2009 10:38 AM | Report abuse

So do the commenters to this column always break out in an instant brawl?

I am shunning you.

Posted by: fallschurch1 | October 6, 2009 11:30 AM | Report abuse

This is a good example at how quickly phishing scams can spread and cause personal damage. I wrote a few tips on how to avoid phishing scams, and you can read the information here: http://securityblog.astaro.com/2009/08/anatomy_of_a_spear_phishing_at.html#more

Posted by: tcronin-astaro | October 6, 2009 11:56 AM | Report abuse

Didn't Brian just comment about the capabilities of OPHCRACK and how quickly totally random passwords could get broken ???

Like within the last week maybe ???

In any event, don't smoke any kind of crack before picking or creating any password. LOL

Posted by: brucerealtor@gmail.com | October 7, 2009 1:57 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company