Skip to Main Content

Is Your Hotmail Password '123456'? Not For Long

Attention Hotmail users: if your Hotmail password is "123456," it won't be for much longer. Microsoft's email service will force strong passwords, and has rolled out a "my friend is hacked!" notification feature.

July 14, 2011

Attention Hotmail users: if your Hotmail password is "123456," it won't be for much longer.

Microsoft said Thursday that the company has added a pair of security features designed to cut down on the number of people whose accounts have been hacked, or who could be compromised in the future. The first, known as "My friend has been hacked!", has already rolled out; the second, a feature to ban common passwords, will arrive soon.

Recognizing that a friend was hacked is something that users can somewhat easily do, but machines may have a more difficult time. Generally, when an account is hijacked, it is either used for spam or to solicit money through a social engineering scheme. A suspicious user may call the friend to double-check. If a hack is discovered, the frind must then begin a process to take back his or her account.

The new program helps prevent that malicious account from poisoning others, and can also help facilitate the takeback process.

"When you report that your friend's account has been compromised, Hotmail takes that report and combines it with the other information from the compromise detection engine to determine if the account in question has in fact been hijacked," Dick Craddock, the group program manager for Hotmail, wrote in a blog post. "It turns out that the report that comes from you can be one of the strongest 'signals' to the detection engine, since you may be the first to notice the compromise. So, when you help out this way, it makes a big difference!"

If the account is marked as compromised, it is turned off and then must be re-enabled through a complex process. Microsoft also sends notices to other email providers, such as Gmail, to notify them as well.

"We've had this feature turned on for only a few weeks, and we've already identified thousands of customers who have had their accounts hacked and helped those customers reclaim their accounts," Craddock wrote.

A simpler but equally effective method to prevent email account hacking is simply to force users to . A complex password can use non-dictionary words, upper- and lower-case, and non-alphanumberic characters: "%Bo11aHo11a%," for example, versus "123pass". But Hotmail also considers weak passwords to include common phrases, like "gogiants".

Ironically, a Microsoft researcher in 2010 made the case that enabling strong passwords wasn't worth the effort. However, Microsoft has taken a harder-edged approach.

"This new feature will be rolling out soon, and will prevent you from choosing a very common password when you sign up for an account or when you change your password," Craddock wrote. "If you're already using a common password, you may, at some point in the future, be asked to change it to a stronger password."

Hotmail recently .