Hotmail puts a block on flimsy passwords

Microsoft will prevent people who sign up for Hotmail from using passwords such as '123456' and 'ilovecats' to try to stop spammers and phishers from hijacking accounts
Written by Tom Espiner, Contributor

Hotmail is banning passwords such as 'password', '123456', 'ilovecats' and 'gogiants', in an attempt to make it harder for spammers to hijack users' email accounts.

People who sign up for the web email service will be prevented from using a password typically used by millions of others, Microsoft said in a blog post on Thursday.

"This new feature will be rolling out soon, and will prevent you from choosing a very common password when you sign up for an account or when you change your password," wrote Dick Craddock, group program manager for Hotmail. "If you're already using a common password, you may, at some point in the future, be asked to change it to a stronger password."

Hotmail subscribers already using one of the banned passwords may be asked to choose one that is harder for spammers and phishing gangs to guess in a brute force dictionary attack, Craddock added.

Graham Cluley, senior technology consultant at Sophos, said people often use the first word that comes to mind, such as the brand of monitor they use, when prompted for a new password.

"There are thousands of commonly used passwords, which hackers are aware of," Cluley told ZDNet UK. "If everyone can use the word 'password', then [account security] is as thin as tissue paper."

People often reuse passwords across accounts, so if the password gets exposed, hackers can use it elsewhere, he noted.

'My friend's been hacked'

As part of its push to protect Hotmail accounts, Microsoft is also introducing a feature for people to tell the company if they suspect an email account has been compromised. Users are given the option to mark a message with a 'My friend's been hacked' label, or they can mark a message with 'I think this person was hacked' when moving it to junk mail.

The software maker has received thousands of reports of possibly compromised accounts since it started to use the technology a "few weeks" ago, according to Craddock.

"When you report that your friend's account has been compromised, Hotmail takes that report and combines it with the other information from the compromise detection engine to determine if the account in question has in fact been hijacked," he said. "It turns out that the report that comes from you can be one of the strongest 'signals' to the detection engine, since you may be the first to notice the compromise."

Microsoft uses a 'compromise detection engine' in its anti-spam technology similar to the software used by banks to detect anomalous use of payment cards. Reports from 'friends' rank highly in marking an account as sending spam, according to Craddock.

Yahoo and Google have signed up to receive reports of suspected spam to Yahoo and Gmail from Hotmail users, said Microsoft.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards