The problem with weak passwords and hijacked Hotmail: 'My friend's been hacked!'

My friend's been hacked! Humor from Microsoft? Hotmail is rolling out security features to disallow vulnerable passwords and cut back on hijacked email accounts. A software architect analyzed why and how people choose weak passwords, showing the only safe password is one you can't remember.

When you think of Microsoft, most folks don't think "sense of humor." Yet the engineers behind Hotmail have combined a bit of humor with security by adding a Mark As drop-down option of "My friend's been hacked!"

Perhaps because a "ha-ha" was an unexpected move from Microsoft, there was some confusion back in June which caused some Hotmail users to post on forums, trying to find out if their email account had been hacked or if the option was legitimate for an account that had not been compromised. Previously the Mark As option had been "Phishing Scam." Somewhat amused at that time, I asked Microsoft if Hotmail developers had hidden any other funny "Easter Eggs," but sadly, those creative programmers had not been set loose to add more little funnies.

There was a slight improvement  in order to avoid confusion to Hotmail users by offering both "My friend's been hacked!" and "Phishing scam."

There's not anything funny about having an account hijacked, but it happens all the time. Usually after a hijacker takes control of a person's email account, friends find out first after receiving spam or phishing email. Dick Craddock, Group Program Manager for Hotmail, explained that is why the feature was added. You can also report "I think this person was hacked!" when marking a message as "junk."

Craddock said within only a few weeks after the option was turned on, "we've already identified thousands of customers who have had their accounts hacked and helped those customers reclaim their accounts. And we've found it to be very effective and fast. Accounts that you report as compromised are typically returned to the rightful owner within a day."

Weak passwords are the primary cause for most hijacked accounts, so Hotmail intends to block common passwords that are vulnerable to brute force "dictionary" attacks. As Craddock pointed out, however, it takes no brute force to guess a common password like "123456."

In an extremely interesting post, software architect and Microsoft MVP Troy Hunt wrote about "The science of password selection." Hunt analyzed passwords from the Sony and Gawker breaches as well as "LulzSec releases including pron.com and a collection of their random logins." His analysis used three sets of source data that users tend to fall back on since it's easy to remember: a list of 26,000 common first and last names of people; 32,000 place names like towns, states and countries; 190,000 words found in the English dictionary.

14% of passwords in those breaches were derived from a person's name. Hunt further broke those data percentages down to show that 55% of name passwords were just the names, 42% of name passwords included a number, 3% were names in reverse with no numbers or symbols, and only 0.4% of name passwords were combined with symbols.

8% of all passwords that Hunt analyzed were based on a place name. 64% of those passwords were straight-up a place name, while 34% of passwords derived from a place name included numbers. 1.6% of place name passwords were spelled in reverse and only 0.3% included symbols.

Dictionary words that are commonly used to brute force an account password were "by far and away the most popular source of password inspiration," Hunt wrote. 25% of passwords in recent breaches were derived directly from dictionary words, but Hunt's fascinating breakdown of the data also looked into the addition of numbers, symbols, keyboard patterns, double words, short phrases, passwords related to the site they're on, and even passwords found within the actual email address itself! You should check out all his graphs.

Hunt summarized:

  1. Passwords are inspired by words of personal significance or other memorable patterns.
  2. Attempts to obfuscate or strengthen passwords usually follow predictable patterns.
  3. Truly random passwords are all but non-existent - they're less than 1% of the data set.

While Hunt managed to show how people are currently choosing their passwords, agreeing with the new Hotmail requirements that will actively disallow vulnerable passwords, he asked how should people be choosing their passwords? "The answer to this is simple," Hunt wrote. "The only secure password is the one you can't remember."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10