Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hotmail To Ban Common Passwords

Posted by Soulskill on from the 123456-iloveyou-letmein-$catname dept.

Time and again, when security breaches reveal large numbers of user passwords, analysis shows there are particular passwords commonly used by a significant percentage of the userbase. Now, an anonymous reader tips news that Hotmail is trying to do something about it. "We will now prevent our customers from using one of several common passwords. Having a common password makes your account vulnerable to brute force 'dictionary' attacks, in which a malicious person tries to hijack your account just by guessing passwords (using a short list of very common passwords). ... Common passwords are not just 'password' or '123456' (although those are frighteningly common), but also include words or phrases that just happen to be shared by millions of people, like 'ilovecats' or 'gogiants.'" This comes alongside a new feature that lets users send a report indicating a friend has had their account hacked.

11 of 140 comments (clear)

  1. 123456 by Anonymous Coward · · Score: 5, Funny

    My luggage! Nooooo

  2. Prediction by Anonymous Coward · · Score: 5, Insightful

    By the time I post this, someone else will already have posted the "combination on my luggage" joke.

    1. Re:Prediction by Toe,+The · · Score: 2

      That's horrible security practice!

      What you're supposed to do is write all your passwords on one sheet of paper, clearly indicating which one is for what login. Then write the word PASSWORDS at the top in big letters and post it on the wall of your cubicle.

      (Sadly, I really have seen this.)

    2. Re:Prediction by ZorinLynx · · Score: 3, Interesting

      The funny thing is that in today's highly connected world, it's probably safer to write down your complex password at home than to use a simple one you can remember and don't need to write down.

      A written-down password on a post-it note can only be read by those who have physical access. So if someone cracks your account due to it, it will likely be someone you know, such as family or a visitor. Whereas a simple password you remember can be guessed by anyone on the Internet.

      Which is more likely to be compromised? If you trust those you allow into your home, it's more likely to be the simple password.

  3. Re:fix brute force attack by supernatendo · · Score: 2

    Because when, not if, Hotmail servers are compromised either externally or internally and the account hashes are collected in bulk, one can brute force the hashes all day long since nothing can detect failed attempts once your just running hashes against a text file.

  4. Re:fix brute force attack by magarity · · Score: 2

    That only works when trying to hack a particular account. If you want to send spam to everyone in some random account's contact list, you don't care whose contact list. So if you know some percentage of the accounts use the same thing for their password, that's a lot of contact lists, mission successful at only one password attempt per account.

  5. Good idea to ban common passwords by gurps_npc · · Score: 2

    Far better than simply outlawing "you can't use your username as your password" Same goes for the silly "can't use the last password as your current one". I never understood the reasoning behind the time based password change. No one expects people to get a new key every six months for their home lock. No one expects someone to get a new ATM card every 6 months. Good passwords are worth keeping for years - as long as they actually are a good password. Are you supposed to be worried that you have given out your old password and forgotten about doing it? You can't stop an idiot from giving away his password. But you don't have to screw it up for the rest of us to help out the idiot.

    --
    excitingthingstodo.blogspot.com
  6. Re:What if by Toe,+The · · Score: 2

    You can create a 100% secure password:
    il0v3c4ts

    I use this technique all the time. Usually I just use the name of the service, like bankofamerica, and change Es to 3s, etc. Do you get it? An E and a 3 look kinda the same... but backwards!!! Brilliant!

    This is totally bulletproof. No hackers have ever heard of this amazing technique. Everyone should use it.

  7. Re:Password Encrypted? by Ferzerp · · Score: 2

    Not if properly salted it will not.

  8. This is intolerable. by Estanislao+Mart�nez · · Score: 2

    I'm sick of having to remember so many complicated passwords. Now that Hotmail is going to force me to change my password to something I can't remember, I'm just going to have to migrate to another email company. Hopefully I can get the same user name part as I have now (ron_damon).

    --

    Are you adequate?

  9. My Password Won't be Blocked Under That Rule! by Pauldow · · Score: 3, Funny

    I've been using 8 asterisks for passwords so I can see what I'm typing.