

Hotmail Adds New Feature "My Friend's Been Hacked" - mjurek
http://www.tekgoblin.com/2011/07/16/hotmail-adds-new-feature-my-friends-been-hacked/

======
drdaeman
> Hotmail is also working hard to eliminate accounts that have simple
> passwords such as “12345678″ and “password” by increasing security measures
> and not allowing simple passwords to be created.

Awesome. Not like I use Hotmail, but... So now if someone's password generator
just happen to generate "weak" password not containing, for example, a digit
(uh, even `openssl rand -base64 12` provides such outputs from time to time)
user'll have to step away from usual password generation scheme and create
special password just for hotmail.com.

Please, for the love of sanity, never ever forbid any passwords (except for
too short ones, with a reasonable minimal length). Just freak user out so
he'll think twice before using possibly weak password. You'll educate users
this way instead of frustrating them.

(And never limit maximum length or set of possible characters, except for rare
cases where there are technical obstacles requiring to do so - like non-8-bit-
safe protocols. If user wants to authenticate with a passpoem, written in
runic alphabet — let him have it.)

~~~
hammock
Curious, what is your reasoning behind allowing 123456 in order to keep some
kind of crazy "random generator" purity, but at the same time requiring a
minimum length? Suppose my pw generator randomly generates passwords of
different lengths? It seems to me the same operating principle behind why you
don't want to limit character selection/order applies to string length as
well.

~~~
drdaeman
I thought that a minimum limit's there just to ensure sanity of a generator.
You can't generally predict how a hash function will behave, but you can
certainly define a minimum output length. What I was thinking about, that the
restrictions are too strict, and there's a gap between what's secure and what
looks secure.

I believed that it's generally expected that a password generator would
produce passwords of a certain minimal length. At least I considered that
nobody would write a generator (intended for a real-world usage) that'd
produce, say, 3-character password for some edge case.

However, you sound reasonable. This leads us right to the extreme case -
should empty passwords be allowed? (Considering that the user will be bugged
like hell before letting him to do so.)

I should think more about this.

~~~
tiddchristopher
I remember creating a blank password on Mac OS9 in grade school. It was
clearly a bug that allowed me to do it, because the minimum password length
was set to six characters, if I recall correctly. After I set the null
password, I couldn't change it, but it worked fine for logging into my
account. I was too embarrassed to ask the admin for help, so I was stuck with
no password for about two years.

------
cdcarter
The people I know who use hotmail these days all love it. Unfortunately an
@hotmail.com email address in my field is just instantly regarded as
unprofessional and laughable.

~~~
synnik
Oh, be serious. I still use my @hotmail.com account extensively. I've had it
since before MS bought it, so I think it is more a sign of my longevity online
than anything else. Most professional software engineers that I know feel the
same way. My experience is that people who judge you by your email tend to be
very young and inexperienced software folk.

~~~
carbonx
I'm in the same boat as you as far as how long I've been using hotmail. I've
been migrating more and more to gmail, but I've got that hotmail account tied
to so much shit over the years, I'm not even sure what I'd be losing if I
ditched it completely.

------
planb
>Hotmail will put the account in recovery mode which will cause a password
reset.

This sounds like it could be easily abused. How will the password reset work
if the hotmail address is the only one a user has? What will he need to do to
reclaim access to his account?

~~~
contextfree
in comments to the original blog post, the PM for this feature mentions that
the "my friend's been hacked" reports aren't enough by themselves to trigger
this, they have to be accompanied by suspicious usage patterns on the alleged
hacked account.

------
mathrawka
I think that this is a great idea, but there will need to be a few things in
place to make it secure enough for use.

\- Only friends that communicate "a lot" should be able to report it (and not
repeatedly).

\- If the account's password was compromised, then the attacker will enter the
account recovery flow on next login attempt. So the AR flow will need to
ensure that the user is not the attacker (SMS and e-mail that are trusted,
based on age and usage, is pretty good).

But why not just create a system that will alert the user when a successful
login was made from a new device on their account? And include an account lock
link in the e-mail, so they can quickly lock their account from anywhere with
cell phone access.

------
tshtf
I've noticed that Hotmail's spam filtering has improved significantly in the
past year or two (I still have an old Hotmail account). It may be 7 years to
late to compete with gmail for new customers, but it's nice to see these
improvements from Microsoft.

~~~
rodh257
An added benefit of this is Exchange customers can take advantage of what
Microsoft has learnt from filtering Hotmails spam by using FOPE
(<http://technet.microsoft.com/en-us/forefront/cc540243>) as a cloud based
spam filter. It's amazing how well it works

------
citricsquid
Has anyone ever seen Microsoft confirm a problem with Hotmail _itself_ being
"hacked"? I have an account with Hotmail I don't use and haven't done since
2007, I logged in recently to discover it had been sending spam emails. Every
single person I know with an active or inactive Hotmail account has the same
problem.

~~~
dangrossman
I have several old accounts, I just logged into a few and they haven't sent
any mails. I have family that use Hotmail and don't get spam from them either.

Maybe you and your circle all happened to use some of those other big profile
sites (Gawker, Sony, etc.) that have had their e-mails and password lists
stolen...

~~~
citricsquid
Hm, how strange. I've not used the account for anything other than msn, a
google search for it only yields results from 2 forums where I've posted it
(in "add your msn" topics) from ~2006 and the password is what was used for a
variety of other things at the time, none of which were "hacked", so I always
assumed it was the result of an internal Hotmail breach. How strange, maybe it
was just me and my friends then. Confirmation bias at work...

------
benologist
Summary of a summary of
[http://windowsteamblog.com/windows_live/b/windowslive/archiv...](http://windowsteamblog.com/windows_live/b/windowslive/archive/2011/07/14/hey-
my-friend-s-account-was-hacked.aspx)

------
rocktronica
Is this a testament to the innovation of the Hotmail team or the non-savvy of
its userbase? Honest question.

~~~
burke
Both, really. It's a sort of clever way to deal with a problem that plagues
non-savvy users.

------
kaiyi
haven't tried this feature yet. and don't expect to try any time in the future
either. if my friend is hacked and keeps sending me email, i'll just block
that person.

------
Empedocles99
So, they've made it easier for people to launch simple denial of service
attacks on hotmail accounts.

------
funkah
What if you have a contact who has been hacked and uses Hotmail, but you
don't? (This is actually the case for me right now.)

