Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft's Hotmail Challenge Backfires

samzenpus posted more than 2 years ago | from the not-the-desired-outcome dept.

Microsoft 453

Barence writes "Microsoft challenged the editor of PC Pro to return to Hotmail after six years of using Gmail, to prove that its webmail service had vastly improved — but the challenge backfired when he had his Hotmail account hacked. PC Pro's editor say he was quietly impressed with a number of new Hotmail features, including SkyDrive integration and mailbox clean-up features. He'd even imported his Gmail and contacts into Microsoft's service. But the two-week experiment came to an abrupt end when Hotmail sent a message containing a malicious link to all of his contacts. 'What's even more worrying is that it's not only my webmail that's been compromised, but my Xbox login (which holds my credit card details) and now my PC login too. Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features such as the Metro Store, synchronization and SkyDrive,' he writes."

cancel ×

453 comments

Sorry! There are no comments related to the filter you selected.

First Post Haxors (-1, Offtopic)

Anonymous Coward | more than 2 years ago | (#39800493)

This one's for Jesus, deal with it brothers

The captcha is Majestic

Stop Feeling Sorry For Them - They're Selfish (-1)

Anonymous Coward | more than 2 years ago | (#39801153)

The USA without the Baby Boomers would be like a dog without bricks tied to its head.

When the last Baby Boomer croaks the USA will enter into a new era of prosperity.

They're so goddamned self-centered they routinely drive 10-20 below the speed limit, hold up everyone trying to get to work partly to pay for their precious Social Security, and can't understand why that's a problem. And being frivolous and self-important, they're too "good" to pull over and let the long line of cars stuck behind them to pass even though those people are getting to work, have a clock to beat, and the old fart doesn't.

If you work a service job because in this economy you are thankful to have any regular work at all, you know that to the Baby Boomers, every service person is their own personal butler. You'll have noticed that when they ask you where something is, they are usually standing in front of it. They certainly can read because they can absolutely read your nametag, even though it's a much smaller font than the big sign for the item they wanted to find. Being self-centered it would not occur to them to make even a token effort to look around (i.e. swivel their neck about 15 degrees, such horrible effort I know) before requesting that you drop everything you are doing and assist them. You know, like any decent person who doesn't think they're better than you would do.

They don't talk to you, they talk *at* you. I've had them whistle at me like I am a dog and note I have never seen anyone other than a Baby Boomer who was so eager to be degrading like this. They will try to monopolize service personel and try to talk for 20 minutes to complete strangers about their grandkids, not because they think you care or are involved in any way, but because they love to abuse a captive audience that fears for their job too much to tell them to fuck off. They will do that instead of wondering if there might be good reasons why their kids and grandkids don't visit them, because that line of inquiry might lead to admitting fault, and they're too much better than you to do that. They love to complain about everything even when they know the employee they complain to has no control over high-level company decisions like which products are offered for sale.

With few exceptions they've regressed and have become little more than overgrown two-year-olds. They are bankrupting the country. They vote in huge blocs for all the wrong people, greatly contributing to the political mess we have today. They run homeowner's associations so they can take neighbors to court over such important matters as the color of paint. They are one of the biggest reasons why marijuana remains illegal and otherwise love to use law like a cudgel to beat you over the head with their own brand of morality, that you follow or be punished. They tend to be real big law-and-order types even in situations where there can be no victim because it is all consenting adults.

When the last Baby Boomer dies I intend to throw a huge block party. The theme will be IT'S FINALLY OVER! Get over your idealized image of sweet old inoffensive Grandma because they hide behind that to manipulate your emotions so you feel afraid to admit how pathetic and selfish they are. That same "sweet" old Grandma will turn into MegaBitch the instant you cannot do exactly what she demands. Dunno about you people but I don't believe in false images.

The above applies to all but a few of them. A few of them actually have character traits like patience and wisdom and intellectual independence to show for the great deal of time they have lived on this planet. Those are precious and I treat them with great respect and do whatever I can for them. The other 95% just plain suck and are a total drain on society, both financially and at the interpersonal level.

The USA without the Baby Boomers is like a dog without a stack of bricks tied to its head.

Yes, but other than that, how did you like it? (5, Funny)

Anonymous Coward | more than 2 years ago | (#39800523)

Other than that, would this be an experience you would recommend to others?

Re:Yes, but other than that, how did you like it? (4, Insightful)

masternerdguy (2468142) | more than 2 years ago | (#39800541)

I actually feel sorry for M$ on this. They tried so hard and genuinely improved the service and this happens. Still hilarious though.

Re:Yes, but other than that, how did you like it? (-1, Offtopic)

Finallyjoined!!! (1158431) | more than 2 years ago | (#39800855)

You're posting under a misnomer, mush!....

You must immediately remove the word "Master"from your useralias, as you quite clearly are not..

Re:Yes, but other than that, how did you like it? (1, Troll)

cpu6502 (1960974) | more than 2 years ago | (#39800933)

Feeling sorry for M$ is like a wife who feels sorry for he husband after he abuses her. I don't feel sorry for mickeysoft.

I wish their OS share dropped to the same level as their browser share (~40%), so we can choose some real alternatives from other companies. I feel like I've been stuck driving a Yugo OS for the last 15 years. Prior to that I used to drive Lexus-level OSes.

Re:Yes, but other than that, how did you like it? (3, Funny)

cratermoon (765155) | more than 2 years ago | (#39800635)

Obligatory: Other than that, Mrs. Lincoln, how did you like the play?

Re:Yes, but other than that, how did you like it? (0)

19thNervousBreakdown (768619) | more than 2 years ago | (#39800879)

Well, my philandering husband was murdered, so that's a plus.

Re:Yes, but other than that, how did you like it? (4, Funny)

devitto (230479) | more than 2 years ago | (#39800801)

Other than that, would this be an experience you would recommend to others?

I can't see why Playstation owners wouldn't migrate.

Re:Yes, but other than that, how did you like it? (5, Informative)

AngryDeuce (2205124) | more than 2 years ago | (#39800899)

It's funny, but that was exactly the same thing that convinced me to leave Hotmail once and for all 2 years ago, and I'd had the same Hotmail email address since before Microsoft even bought it back in the late 90's.

The thing that really pissed me off was that, when I contacted Microsoft and told them I got hacked and requested they delete the account, they flat out refused to do so, and told me I'd just have to wait until it was deleted due to inactivity. Because I'd had that email address for so long, I had literally hundreds of contacts that got hit with spam messages (to include former employers and companies that I had job applications on file for, how embarrassing THAT was). I wanted the email address dead so that I didn't have to worry about it happening again in 8 months, but apparently that was just too much to ask. My password was not some ridiculous '123456', either, it was a non-dictionary stream of mixed-case letters with numbers and special characters, so simply changing the password was not a satisfactory course of action in my opinion (and I told them that), but of course, what the hell can I do when they just say "no"? Sue them? I wish I had that kind of time and money. For all I know, they could have hacked the email again and reset the clock, but I made sure to delete every contact, set the inbox to exclusive, and set it to delete junk immediately upon receipt before I abandoned the account, so if the assholes manage to steal it again, it won't be much use to them.

The Xbox Live people were much, much more helpful with migrating my account to Gmail. For the days it took for the Live Mail team to respond to me, I was squared away in minutes with the XBL rep, and we even ended up bullshitting about old school video games for like 25 minutes afterwards.

Funny how much different two arms of the same fucking company can be.

Re:Yes, but other than that, how did you like it? (4, Insightful)

vux984 (928602) | more than 2 years ago | (#39801037)

What makes you think deleting the email account that minute would have made the slightest difference?

They got in, skimmed it for the contact list, and they are done.

They don't actually need access to your account to send email masquerading as being from you to spam your contacts from then on.

Backfires? (5, Funny)

busyqth (2566075) | more than 2 years ago | (#39800529)

Hotmail sent a message containing a malicious link to all of his contacts

It seems to me that it was convincingly demonstrated that Hotmail has a few features that Gmail lacks.
Good job Microsoft!

Re:Backfires? (1)

Penguinisto (415985) | more than 2 years ago | (#39800767)

Ah yes... the always-free DAVIT suite! (Darwin AntiVirus Involuntary Testing)! ...but wait, they've had that for years now. You'd think GMail would have at least aped the feature once or twice...

Epic Fail (4, Insightful)

girlintraining (1395911) | more than 2 years ago | (#39800533)

Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features

So the Marketing department got the green light over the Security department during the development of Windows 8. Naturally, it is the Security department's responsibility to ensure that when the Marketing department does something stupid like linking account credentials between two separate administrative domains, it's Security's responsibility to sprinkle magic fairy dust over it.

Okay, I'd like my $80,000 bonus now, and a letter of resignation from the chief designer of the Windows Live security team please. Also, let the marketing department know that we'll need to find someone to spin the bad press away, you know, the usual crap about it being a beta release and then suing him for violating the NDA that says he can only report positive experiences with the beta.

that will be a death note to enterprise use (2, Interesting)

Joe_Dragon (2206452) | more than 2 years ago | (#39800675)

Hotmail login same as windows log on and windows store with CC? WOW windows 8 may flop so bad that they have to have a windows 9 next year or a windows 7.5

Re:that will be a death note to enterprise use (5, Informative)

Anpheus (908711) | more than 2 years ago | (#39800783)

If you took the cursory amount of time to research this, you'd find that (a.) no, Microsoft doesn't expect business users to rely on authenticating against Windows Live, and (b.) that Windows Live log in is optional and not necessary, and a local account works just fine. You just don't get access to some easy synchronization items, but you can still access the windows store and apps by manually logging in.

But hey, this is slashdot. Who needs to verify before they make grandiose claims?

Re:that will be a death note to enterprise use (5, Insightful)

Zero__Kelvin (151819) | more than 2 years ago | (#39800911)

... well then ... it's a damn good thing that almost all Windows users are business users then! You know ... because regular folks would probably sacrifice security for usability if they even knew that was what they were doing. Thank God there aren't many of those types with 'puters connecting their tubes to the Internet!

Re:that will be a death note to enterprise use (-1)

Anonymous Coward | more than 2 years ago | (#39801145)

Just curious. Have you actually verbally spoken the work "'puter" before in public? Like in a serious conversation? That wasn't with a four year old? Try it, I'll wait.

Did it sound ridiculous? Yes? Yeah, maybe you shouldn't write it either.

Re:that will be a death note to enterprise use (4, Interesting)

Anpheus (908711) | more than 2 years ago | (#39801157)

That's irrelevant though, and you're just picking a fight. I was responding to Joe_Dragon's completely inane objection to Windows 8 from a business standpoint, see his title: "that will be a death note to enterprise use". No, it won't be, and I explained why.

Do you want to engage on a debate on Windows Live logins as well? Because you should know before you start that the Windows Live login has minimum security requirements, doesn't appear to store the Windows Live password locally, and appears to follow some pretty damn good security practices. Now, I haven't fully verified all of these claims, but the login process for Windows Live login appears to use local passwords and certificates to verify the local account password against The Cloud(tm) when available. This is actually an astoundingly good process, as I don't think the hash of the Windows Live password is ever stored on the computer, rather, it can be used to access the local password, but I don't think physical access to a Windows 8 machine can possibly give you access to a user's Windows Live credentials. You can only gain access to local, unencrypted data.

There are bits of this I haven't verified, but are based off hunches of exploring the system and poking and prodding it. I haven't disassembled the login routines to verify what I think is happening is the actual process, but it appears that Microsoft has very much followed good security practices here. I was extremely impressed to notice that enabling Windows Live login merely downloads a certificate to the user's local certificate store (encrypted by a local password) and that other mechanisms appear to be in place to mitigate security risks.

think of it from a BYOD mind set (1)

Joe_Dragon (2206452) | more than 2 years ago | (#39801113)

think of it from a BYOD mind set.

Now BYOD does have it's own security issues but some think like this makes it worse.

Re:that will be a death note to enterprise use (1, Insightful)

girlintraining (1395911) | more than 2 years ago | (#39800919)

Hotmail login same as windows log on and windows store with CC? WOW windows 8 may flop so bad that they have to have a windows 9 next year or a windows 7.5

It won't have any domain authentication, no group policy, and not much as far as granular security (obviously). No, it was dead on arrival as far as business use is concerned, and Microsoft has already stated as much. Apparently Microsoft Bob, Windows ME, etc., and now Windows 8 demonstrates that Microsoft will continue its "Trek" release schedule; You know, that whole odd-even thing. :\

Re:Epic Fail (1)

Penguinisto (415985) | more than 2 years ago | (#39800779)

Looking at it from a Black Hat perspective, if they're stupid enough to keep requiring that, then once Windows 8 gets released, things will become, well, interesting...

Re:Epic Fail (4, Informative)

Anonymous Coward | more than 2 years ago | (#39800869)

Because Windows 8 practically forces you to login with your Windows Live/Hotmail details to access features

Google does exactly the same thing (even with google Checkout; at least the xbox account can only be used to buy games for that same account).
Apple does the same thing, as far as I am aware.
I'm not saying it's right, but it seems to be par for the course

RTFA (2, Informative)

Anonymous Coward | more than 2 years ago | (#39800555)

From the article (but curiously missing from the summary):

(Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.)

In other words he used a shitty password and got hit by a dictionary attack. Nothing new or interesting here. Move along.

Re:RTFA (2)

Soporific (595477) | more than 2 years ago | (#39800609)

His password was the same as the one to his luggage...

~S

Re:RTFA (3, Informative)

Anonymous Coward | more than 2 years ago | (#39800669)

7-letter lowercase password that's not a dictionary word... that's about 33 bits worth. And that's not offline bruteforceable. What kind of retarded system doesn't do *something* after a few BILLION failed login attempts?

Re:RTFA (1)

SpryGuy (206254) | more than 2 years ago | (#39800737)

What he DIDN'T say was that the accronym was "aaa" and the noun was "arch", so it really didn't take many brute-force attempts. :-P

Re:RTFA (5, Insightful)

ais523 (1172701) | more than 2 years ago | (#39800679)

No way that a web-based service should allow that sort of dictionary attack to succeed. It's not too hard to deliberately spend a sufficiently long time authenticating someone (especially if there have been a bunch of password failures recently on the account / from that IP) that dictionary attacks become unfeasible; it's not like you get to attack the hash. (Look at Wikpedia, for instance, where three login failures cause you to need to fill in a CAPTCHA to log in.)

Re:RTFA (0)

Anonymous Coward | more than 2 years ago | (#39800877)

part acronym, part proper noun

How much do you want to be it had something to do with his work? Or that he had used the same password in some other system which got hacked? He even mentioned he had to change the password to a whole pile of accounts. Dumbass probably has that password all over the internet and acts surprised when he got owned.

Re:RTFA (2)

LoverOfJoy (820058) | more than 2 years ago | (#39801159)

Well, to be fair, for his gmail password he had to add a 1 at the end for them to accept it. I guess that's why his gmail account was never hacked.

Re:RTFA (2)

TheRealMindChild (743925) | more than 2 years ago | (#39800909)

Funny, I wrote a brute force login app for Hotmail back in like 2002, to see if such a thing was feasible (brute forcing that is). After about 5 failed login attempts, each one after that took over a minute. When did they undo this?

Re:RTFA (5, Informative)

IamTheRealMike (537420) | more than 2 years ago | (#39801077)

Yes, no serious web mail service can be compromised by brute force attacks and that is not what happened here.

Almost certainly, the password in question has been re-used at some other third party website that then got hacked, its password database dumped and the hashes reversed using video cards.

I work on account security at Google and have spent the last 2.5 years of my life on Gmail anti-hacking. So I'm all too familiar with this type of problem, where spammers mail your contacts with a link to their online stores (or malware). Really feel for the Hotmail team here - it's a hard problem to solve. That said, we've made a lot of progress over time. We've blocked very large numbers of logins to compromised accounts (often between half a million to a million accounts per week). There are still occasional campaigns that get past us but it's getting rarer all the time. It may well be that this guys password was the same on Gmail (ie, he had one password for everything), and there was an attempt made against his account, but we redirected it to the identity verification quiz and thus it was blocked. It wouldn't be remarkable if so.

I did a public talk at RIPE64 [ripe.net] on the topic of signup and login security at Google, for those who are interested. It's about 30 minutes long.

Re:RTFA (2, Informative)

Anonymous Coward | more than 2 years ago | (#39800765)

I'm not so sure, other AC
Any internet exposed service of non-tribal size will tarpit/lockout an account LONG before a string of characters that long is brute forced/dictionaried.

For a long time I've seen a LOT of hotmail accounts compromised. Actually, pretty much everyone I've known that has ever used a hotmail account has had it hacked. I would not be surprised if there's another vector here.

Re:RTFA (0)

Anonymous Coward | more than 2 years ago | (#39800805)

In other words he used a shitty password and got hit by a dictionary attack. Nothing new or interesting here. Move along.

If you weren't too busy being a snarky jackass you might find it interesting that a service like Hotmail can still be compromised by a dictionary attack in the first place. Windows 8 lets you bind your desktop profile to your Live account... if you don't find this disturbing on some level or another then you are either being stupid or intentionally obtuse, or your name is Steve Ballmer.

So which is it?

Re:RTFA (0)

Anonymous Coward | more than 2 years ago | (#39800951)

See. You call me the snarky jackass, but you couldn't even figure out that my name rhymes with Pill Hates not Sleeve Palmer...

Re:RTFA (2)

Penguinisto (415985) | more than 2 years ago | (#39800811)

That "dictionary attack" should've triggered something on Hotmail's servers after, oh, the 48 millionth failed login attempt in less than five minutes...

Re:RTFA (1)

cpu6502 (1960974) | more than 2 years ago | (#39801005)

>>>got hit by a dictionary attack.

It sounds like he used a password similar to this: sopatom. I don't see that word in my dictionary.

Well... (0)

Anonymous Coward | more than 2 years ago | (#39800557)

This shouldn't affect his opinion of Hotmail at all...

Was it really hotmail hacked... (2, Insightful)

Anonymous Coward | more than 2 years ago | (#39800567)

Or did he just use a crappy password or have malware already on his computer? I know it's popular to bash MS, and I dislike the account convergence we are rapidly screaming towards, but blaming the service when it was more likely that he created the vulnerability is just tacky.

Re:Was it really hotmail hacked... (-1)

Anonymous Coward | more than 2 years ago | (#39800699)

I know it's popular to bash MS

Oh, how original. Never heard that one before. No way. [google.com]

Re:Was it really hotmail hacked... (3, Insightful)

Penguinisto (415985) | more than 2 years ago | (#39800835)

The malware angle I could see, sitting, err, on his Windows machine.

No matter which way you slice it, Microsoft's not going to look too awful good from this.

Re:Was it really hotmail hacked... (1)

Sez Zero (586611) | more than 2 years ago | (#39801045)

Or did he just use a crappy password or have malware already on his computer?

No, but I heard he shared a local network connection with a Mac, and that infected him from all the previously-inactive malware piled up on OS X.

weak password (4, Informative)

cratermoon (765155) | more than 2 years ago | (#39800577)

From the story: 'For those of you inquiring about the strength of my Hotmail password - it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun.'

Re:weak password (1)

Anonymous Coward | more than 2 years ago | (#39800595)

I can't see how this is a hotmail fail. This to me seems like a PC Mag editor fail.

Re:weak password (3, Interesting)

TJ_Phazerhacki (520002) | more than 2 years ago | (#39800611)

Sure. But was it actually Hotmail that was hacked, or the way more likely cause of a non-unique password or existing compromise on his pc? Hell, I know script kiddies who would SALIVATE at the chance to make Hotmail look bad for teh lulz...

Re:weak password (4, Insightful)

cratermoon (765155) | more than 2 years ago | (#39800677)

Could be any of those things, or all of those things. In a fully Microsoft monoculture of shared architecture and sloppy security practices, it only takes one weak link to break the whole chain.

Re:weak password (1)

Score Whore (32328) | more than 2 years ago | (#39800775)

Thing is that you can have your browser up and running and you're logged into your web mail service. Or perhaps you saved the password in your browser. Then you log into facebook and click on some dumb link or perhaps you go to some malicious website. Some errant javacript loads up your hotmail account in an iframe, your browser helpfully provides the credentials or a valid cookie and the script then proceeds to propagate itself to all your contacts.

This does not seem hotmail specific at all.

Re:weak password (0)

Zero__Kelvin (151819) | more than 2 years ago | (#39800993)

"This does not seem hotmail specific at all."

No. You are right; we should also give credit to all the other Microsoft software that had a hand in it as well!

Re:weak password (0)

Anonymous Coward | more than 2 years ago | (#39800793)

Any chain can be broken and will be if it's worth it to do so.

The balance between security is a matter of effort versus value. Just ask anybody who doesn't lock their doors.

Re:weak password (1)

NatasRevol (731260) | more than 2 years ago | (#39800853)

The problem is, in a Microsoft monoculture, there's lots of weak links - the password a human has to type in - everywhere.

Even in this case, it's a 7 letter password that's not (just) a dictionary word and cant be hacked offline (presumably). That's not that weak a link, yet it was broken.

Re:weak password (1)

Bert64 (520050) | more than 2 years ago | (#39801093)

It's likely that if his machine was compromised, other accounts (including his gmail) would also have gotten hacked.

Re:weak password (1)

Crudely_Indecent (739699) | more than 2 years ago | (#39800839)

7 characters alpha - that's terrible. Bruteforce can find that in seconds, no dictionary needed.

Re:weak password (0)

Anonymous Coward | more than 2 years ago | (#39800989)

I agree the author is stupid. But bruteforcing is only feasible if the hashes are visible or the system allows many attempts in a short amount of time.

Re:weak password (1)

Sabriel (134364) | more than 2 years ago | (#39801057)

If that was how it was compromised, still an epic fail for Hotmail not to have a defence against such an obvious attack method.

Re:weak password (1)

Anonymous Coward | more than 2 years ago | (#39800969)

Does Hotmail require HTTPS?? as Gmail does as default.. could have been snooped on a public network else wise if only using http

Re:weak password (0)

Anonymous Coward | more than 2 years ago | (#39801059)

The moron is admitting that he is too stupid to remember a powerful enough password, what an idiot. Seven lower case characters, part PROPER NOUN. Idiot.

If the server makes you wait progressively longer (or at least a minute after failing three times) each time you try to log in again, presumably these sort of attacks simply can't work. And what human being would sit and type in thousands of different passwords, when trying to log into their e-mail? Surely the system can be made to recognise this is an attack, and stop it?

hmm (1)

Anonymous Coward | more than 2 years ago | (#39800583)

I smell that I am not getting quite the full story here...

The Good Old Times (1)

Dekonega (1606763) | more than 2 years ago | (#39800593)

Some how this reminds me the glorious 90s, when music was great, anime looked the best, and Hotmail became my first web email account I had ever used...

Re:The Good Old Times (-1, Flamebait)

Finallyjoined!!! (1158431) | more than 2 years ago | (#39800997)

!sdrawkcab em kcuF; "anime looked the best", are you on something? toilet bleach perhaps?

God damn it! (1)

Haxagon (2454432) | more than 2 years ago | (#39800619)

Stop making your password "notpassword"!

Idiot? (1, Interesting)

cavtroop (859432) | more than 2 years ago | (#39800643)

So, a fairly public persona publicly announces that he's switching to Hotmail to give it a go. And has a weak-sauce password:

(Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.)

And somehow this is Microsoft fault? He's just asking to be hacked, and with a weak password like this? *sigh*

Re:Idiot? (0)

Anonymous Coward | more than 2 years ago | (#39800725)

Seriously, who has an internet accessable system with a password of less than 8 characters? Ever since linux stopped using crypt() for passwords, I've been using 12-30+ character passwords for everything, sometimes words and phrases, other times mixed case. I have yet to recieve notification of ANY of my accounts being hacked, and I imagine the ones that have/do will no doubt be because of plaintext passwords stored on 3rd party websites.

Re:Idiot? (0)

Anonymous Coward | more than 2 years ago | (#39800769)

So, a fairly public persona publicly announces that he's switching to Hotmail to give it a go. And has a weak-sauce password:

(Update: For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun. It’s not the world’s strongest password, and I can feel the parental glare of Davey Winder from 200 miles away, but it wasn’t that weak, either.)

And somehow this is Microsoft fault? He's just asking to be hacked, and with a weak password like this? *sigh*

pcbarry

Part acronym, part proper noun. All retarded. And it's even seven characters.

Re:Idiot? (2)

rkfig (1016920) | more than 2 years ago | (#39800943)

Assuming the attacker knew somehow that the password was exactly 7 letters, and that they were all lower case letters, which shouldn't be the case, it still shouldn't have been possible. 7 letters, 26 possible letters in each location means just over 8 billion possible combinations. If we assume upper and lower case letters plus numbers are tried in the brute force attack, that gives a bit over 5 trillion possibilities. Exactly how many failed attempts are allowed on their web logon before any sort of protection system kicks in. So, yes, I do think it is a design and implementation flaw by Microsoft.

Re:Idiot? (1)

shentino (1139071) | more than 2 years ago | (#39800965)

I think he sabotaged the trial on purpose just to make hotmail look bad.

Re:Idiot? (1)

Zero__Kelvin (151819) | more than 2 years ago | (#39801015)

In case you missed it because you posted and then moved on, there is no "somehow" about it. The very fact that a dictionary attack could be done at all is direct evidence of woeful incompetence.

Re:Idiot? (1)

geekoid (135745) | more than 2 years ago | (#39801101)

Yes, its Microsoft's fault.
It should allow more then 3 attempts before using the alternative contact method.

In other news (1)

Megor1 (621918) | more than 2 years ago | (#39800663)

In other news it's my home builders fault that I left my keys in my door and I was robbed.

SSL still isn't the hotmail default! (3, Informative)

Anonymous Coward | more than 2 years ago | (#39800673)

It's only recently (Nov. 2010) that hotmail even had the option of using SSL:

http://windowsteamblog.com/windows_live/b/windowslive/archive/2010/11/09/hotmail-security-improves-with-full-session-https-encryption.aspx [windowsteamblog.com]

And SSL still isn't the default option for hotmail.

Gmail at least had the option for SSL for many many years, and google made SSL the default a few years back (after they got hacked by the Chinese).

Re:SSL still isn't the hotmail default! (1)

ewanm89 (1052822) | more than 2 years ago | (#39800851)

No, infact, their enable to make it default on your account warns you that the windows mobile live app and some others will stop working.

As I posted yesterday (-1, Troll)

cpu6502 (1960974) | more than 2 years ago | (#39800697)

(and got modded -1). I think this story proves what I was saying:

Try "Skydrive? [Or hotmail?]
"One word:
"Microsoft.
"How many chances am I supposed to give this company? They've let me down almost every time... the earliest being when I tried to multitask in Windows 3 and 95, but it hung the system repeatedly (cooperative tasking sucks). Then I tried to play Wing Commander and it refused to run due to graphics-card incompatibilities/broken drivers. I ended-up playing the Commodore Amiga version instead (just plug'n'play). More recently MS media player refuses to execute half the movies I throw at it [.....] Windows XP was the first stable OS to come out of that company, so I had high hopes they had turned around... but then I experienced Vista on my brother's brand-new 1/2 gig machine. It was ass..... random freeze-ups for 2-3 minutes.

"Better to avoid MS as much as possible......" No to Hotmail.

Re:As I posted yesterday (1)

bananaquackmoo (1204116) | more than 2 years ago | (#39800925)

"Windows XP was the first stable OS to come out of that company" INCORRECT Windows 2000 was the first stable OS. XP was less stable than 2000.

Re:As I posted yesterday (1)

geekoid (135745) | more than 2 years ago | (#39801075)

My MSDOS 3.1 was never hacked or crashed, clearly that was the most stable and secure

Re:As I posted yesterday (-1, Troll)

cpu6502 (1960974) | more than 2 years ago | (#39801089)

Really?
Wasn't XP simply the +0.1 version of Win2000? I would have thought it would be more stable, like how WinSeven (6.1) is more stable/bugfree than Vista (6.0).

samzenpus, you idiot! (2)

X0563511 (793323) | more than 2 years ago | (#39800719)

Why is this in idle? After that blatant dupe earlier...

You are grounded!

Hotmail hacked (1)

nauseous (2239684) | more than 2 years ago | (#39800735)

Most people I help or talk with have been hacked on hotmail. Microsoft must have no security, I've been hearing about hotmail hacks for a long time. Suggestion, don't use hotmail :-) Very unsecure

One word, One link... (1)

Anonymous Coward | more than 2 years ago | (#39800739)

LastPass
http://www.lastpass.com

Re:One word, One link... (1)

monkeyhybrid (1677192) | more than 2 years ago | (#39801087)

Or amongst a choice of others, my personal favourite, KeePass [keepass.info] . It's free, open source and has ports for pretty much any desktop / mobile OS out there.

Think of the alternatives (2, Funny)

Groo Wanderer (180806) | more than 2 years ago | (#39800759)

MS is continually bashed for security reasons, and mocked for being a virus spreading engine etc etc. Those who continually make such silly and baseless allegations, as evidenced by the story above, don't even once think about the alternatives and THEIR security problems.

After dumping Windows and MS products in general a few years ago, I have had a first hand hard lesson in the probelms of 'alternative' OSes, if you can call them that. My problems have been nearly unending since switching to Linux, I mean just last month, or was it the month before, my laptop crashed. This wasn't the first time either, it routinely happens 2-3 times a year.

Think about it people, if you don't use MS, you might not have horrific security problems that compromise all conected devices and identities, but you may have to suffer through a similar fate to me. Be careful what you ask for, and THINK before you whine in public.

                  -Charlie

Re:Think of the alternatives (1)

Microlith (54737) | more than 2 years ago | (#39800813)

Unfortunately, due to Poe's Law (or whatever reciprocal exists for fanboys) I cannot discern if this post is just satire or if it's dead serious.

Fool (0)

Anonymous Coward | more than 2 years ago | (#39800777)

"...forcing me to include a capital letter, a number, a set number of characters and a symbol from the Ancient Greek alphabet (I exaggerate only slightly)."

His password was most likely 'editors' and is wondering how he was "hacked". It really is sad that such a fool can post news about the security, or lack thereof, of Microsoft's Hotmail service.

On the positive side (for consumers)... (2)

SpryGuy (206254) | more than 2 years ago | (#39800787)

...perhaps this will light a fire under Microsoft to get their system a bit more secure (in spite of weak passwords like the one the guy used), and not allow things like spamming all contacts without some second-source notification/response, or some other easy to implement blocks to this sort of behavior.

And the result for consumers will be a more robust system in general (Microsoft Account/WindowsLiveID, as well as HotMail, Win8, XBoxLive, etc).

Failures often spur innovation and improvement. They're not always a bad thing (though this one is particularly embarassing, it may be just that level of embarassment that drives the motiviation to work on solutions to the problem).

Your Gmail has been Smoked by Hotmail. (1)

LWATCDR (28044) | more than 2 years ago | (#39800795)

That is all.

It wasn't THAT bad a password actually (4, Informative)

silentcoder (1241496) | more than 2 years ago | (#39800797)

http://xkcd.com/936/ [xkcd.com]

Truth be told the passwords we actively encourage are no stronger than what he used.
If you want a really strong password, use a sentence of random words. Password length matters far more than password content - this is a simply provable fact - too bad hardly anybody in security realizes it.

Re:It wasn't THAT bad a password actually (1)

mdenham (747985) | more than 2 years ago | (#39801105)

Eh, a sentence of random words can still be hit by dictionary attacks (assuming that the attacker is smart enough to go after passphrases as well). Somewhat better is to replace spaces in the sentence with numbers forming a meaningful sequence (preferably only to you), and ending with one piece of punctuation.

It's still easy to remember, and attackers are now pretty much stuck with having to find you and torture the password out of you.

Not uncommon (4, Interesting)

krelian (525362) | more than 2 years ago | (#39800833)

This is not the first time I hear about a hotmail account being hacked to send malicious links. I had a few friends with the same problem, always hotmail. It's possible there is a serious security problem with the service. And even if there isn't, logic should be in place to suspend account who start mass emailing their contact lists with suspicious links, it shouldn't be that hard to stop.

Re:Not uncommon (0)

Anonymous Coward | more than 2 years ago | (#39801137)

I see Hotmail and Yahoo addresses in attacks like this.

password = 123456 (0)

Anonymous Coward | more than 2 years ago | (#39800861)

I guess this is his wah! wah! moment but i am not buying it. Why were running windows 8? I saw some noob running on his main computer the other day and I was tempted to tell him to uninstall it but I let sleeping dogs do their thing. An editor at pcmag should know better no sympathy from me.

no try @me.com :) (0)

Anonymous Coward | more than 2 years ago | (#39800865)

http://www.overtecno.com.br/wp-content/uploads/2011/03/nelson-simpsons-ah-ah-420x261.jpg

Watch for the turfers (0)

Anonymous Coward | more than 2 years ago | (#39800893)

Keep an out out for a handful of talking points repeated with similar words and phrases.

I'd never seen so much shilling for skydrive since that last post about Google's new data locker service.

It's His Own Damn Fault (5, Insightful)

smack.addict (116174) | more than 2 years ago | (#39800907)

His password is 7 lower case characters. It's a wonder his GMail account wasn't hacked ages ago.

Re:It's His Own Damn Fault (1)

Bill Dimm (463823) | more than 2 years ago | (#39801139)

If the password was brute forced, that would involve a few billion failed login attempts (assuming it's not just a dictionary attack). One might expect a website to do something to prevent that.

Microsoft's online encryption has always been bad (2)

Celexi (1753652) | more than 2 years ago | (#39800917)

Hotmail's default isn't SSL as far i know, and their chat service isn't ssl or encrypted or even able to run encrypted ( unlike google's chat/XMPP). So it isn't exactly safe, not long ago someone was trying an dictionary attack of some sort for days on my MSN messenger account as it prevented me from logging in due to "too many password attempts" . ( when i had not been the one doing those attempts.)

Probably wide spread (1)

Anonymous Coward | more than 2 years ago | (#39800959)

I had the same issue last night. Strong password, not logged into hotmail itself in months. Looks more like a breach than anything else.

The only place I've used the password is in MSN in pidgin, I'm considering doing at least a cursory audit of pidgin.

Re:Probably wide spread (2)

Billhead (842510) | more than 2 years ago | (#39801131)

In that case you should also know that pidgin stores the passwords in plaintext in the settings file(at least last time I checked).

Typical Exaggeration: "I Got Hacked!" (1)

Geste (527302) | more than 2 years ago | (#39800999)

Probably upwards of 20 times in the past year I have heard co-workers, acquaintances, relatives and others bleat "My Email Account Got Hacked!". These folks included AOL, Gmail and Hotmail users.

They didn't get hacked. They were naive. They got hoodwinked. They gave up information to some trojan or phishing email or keylogger. And, yes, meny were using the same weak or semi-weak password on multiple sites including their email and Facebook and Amazon and such. They were for the most part completely oblivious that doing that was a Bad Idea.

I am about as far from a Microsoft fan or apologist as it is reasonable to be. I'll also allow that there may be problems in the Hotmail and Live! monoculture (that I am not the world's expert on as I don't use them). But when I read the author admit that he used a fairly weak 7-character, all-lower-case password how can I give this story any credit? Doesn't sound like a very diligent techie to me. Rather, it makes me wonder where else he used that password.

Re:Typical Exaggeration: "I Got Hacked!" (1)

geekoid (135745) | more than 2 years ago | (#39801019)

It should have demanded alternative authentication after three attempts., and sent a text to the person phone saying someone attempted it.

Fucking idiot. (0)

Anonymous Coward | more than 2 years ago | (#39801017)

Delete your damn e-mail when you are done with it. Stop raping everyone's privacy.

Security issues in his story... (1)

Guppy06 (410832) | more than 2 years ago | (#39801031)

I’d also set up Hotmail to import all my Gmail and its associated contacts. Not to mention the Facebook and LinkedIn contacts that Hotmail merges into your online address book.

Meaning that all these online services contained the password information for all the other services. Even if different passwords were used for each, the linkages between them all would allow a chain reaction if just one was compromised.

In fact, in the screenshot, I note he has an email about his Google account password being changed. I don't link my Hotmail and Gmail accounts, so I don't know, but does the Hotmail interface even display stored passwords?

but as that email address was also used as my iTunes login, I wanted to change that password as well.

How much of a problem would that be? Unless, of course, they also had the same password...

So I now had three new passwords – all using slightly different systems – swimming round my slightly inebriated brain, and I can’t even remember the name of my news editor when I’m sober.

That sounds an awful lot like he didn't already have a system for maintaining separate passwords for separate services.

For those of you inquiring about the strength of my Hotmail password – it was a seven-letter string of lowercase letters. Not a dictionary word, but part acronym, part proper noun.

Being coy about what his former password was may indicate that the very same password is still in use elsewhere.

In the end: an unauthorized user accessed his Hotmail account, but I'm not seeing any strong evidence that it was Hotmail itself that got compromised.

Sitcom (0)

Anonymous Coward | more than 2 years ago | (#39801081)

It's got the point that its comical, an almost 'oh that Microsoft' quality

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>