Forgot your password?
typodupeerror
Communications Microsoft

Hotmail To Ban Common Passwords 140

Posted by Soulskill
from the 123456-iloveyou-letmein-$catname dept.
Time and again, when security breaches reveal large numbers of user passwords, analysis shows there are particular passwords commonly used by a significant percentage of the userbase. Now, an anonymous reader tips news that Hotmail is trying to do something about it. "We will now prevent our customers from using one of several common passwords. Having a common password makes your account vulnerable to brute force 'dictionary' attacks, in which a malicious person tries to hijack your account just by guessing passwords (using a short list of very common passwords). ... Common passwords are not just 'password' or '123456' (although those are frighteningly common), but also include words or phrases that just happen to be shared by millions of people, like 'ilovecats' or 'gogiants.'" This comes alongside a new feature that lets users send a report indicating a friend has had their account hacked.
This discussion has been archived. No new comments can be posted.

Hotmail To Ban Common Passwords

Comments Filter:
  • 123456 (Score:5, Funny)

    by Anonymous Coward on Friday July 15, 2011 @02:37PM (#36778396)

    My luggage! Nooooo

  • Prediction (Score:5, Insightful)

    by Anonymous Coward on Friday July 15, 2011 @02:38PM (#36778402)
    By the time I post this, someone else will already have posted the "combination on my luggage" joke.
    • 3M's Post-It note division sales will increase, due to users writing down their passwords and storing them under their keyboards.
      • Sales will increase significantly for laptop users... as will a trail of sticky notes on every surface where they have placed their laptop.

      • by Toe, The (545098)

        That's horrible security practice!

        What you're supposed to do is write all your passwords on one sheet of paper, clearly indicating which one is for what login. Then write the word PASSWORDS at the top in big letters and post it on the wall of your cubicle.

        (Sadly, I really have seen this.)

        • That's horrible security practice!

          What you're supposed to do is write all your passwords on one sheet of paper, clearly indicating which one is for what login. Then write the word PASSWORDS at the top in big letters and post it on the wall of your cubicle.

          (Sadly, I really have seen this.)

          I remember that scene too. The password for this month is "pencil".

      • Re:Prediction (Score:4, Interesting)

        by ZorinLynx (31751) on Friday July 15, 2011 @08:10PM (#36781760) Homepage

        The funny thing is that in today's highly connected world, it's probably safer to write down your complex password at home than to use a simple one you can remember and don't need to write down.

        A written-down password on a post-it note can only be read by those who have physical access. So if someone cracks your account due to it, it will likely be someone you know, such as family or a visitor. Whereas a simple password you remember can be guessed by anyone on the Internet.

        Which is more likely to be compromised? If you trust those you allow into your home, it's more likely to be the simple password.

    • Gee, did you just now spot the pattern after 15 years of sharks with frickin laser beams jokes?

    • by travdaddy (527149)
      How about "Baloney1? That's your password?"
      "Well, used to be just baloney, but now they make you add number."
  • by Anonymous Coward

    That Hotmail still exists.

    • by Anonymous Coward

      Meh. I never saw the appeal of hotmail. I'm still using excite.com *pulls up onion belt*

    • by robogun (466062)

      I haven't checked it in a while since it doesn't render in Seamonkey (malformed XML error). Half the time it won't render in Firefox as they get cute with the MS only code. There are probably 2,500 unread spams in my account by now.

  • Oh man, I can't WAIT for the new millennium!

  • What if you really love cats?

    • well, you just have to check and see if "ireallylovecats" is on the blacklist. If it is, try "ireallyreallylovecats." Rinse and repeat (not the cats).

    • What if you really love cats?

      Oh please, no one loves cats more than this girl

      http://youtu.be/mTTwcCVajAc [youtu.be]

    • by Toe, The (545098)

      You can create a 100% secure password:
      il0v3c4ts

      I use this technique all the time. Usually I just use the name of the service, like bankofamerica, and change Es to 3s, etc. Do you get it? An E and a 3 look kinda the same... but backwards!!! Brilliant!

      This is totally bulletproof. No hackers have ever heard of this amazing technique. Everyone should use it.

      • Its a heck of an improvement over lowercase alpha-only passwords.

      • Given the hash in a common format, applications like LophtCrack could take this out in about 20 minutes or less... We won't even start with how fast rainbow tables or brute force could whip through it at a length of only 9 characters and only using alpha-numerics.

        There is even a specific option to slightly increase the cracking time by checking for letter - number - symbol substitution which it will do before attempting brute force checking.

        Not really any more secure at all. Sorry. I used to use Lopht on a
        • Ok, I give myself the "whoosh" of the day award. Carry on...
        • by berzerke (319205)

          Sure, with the hashes you can break the passwords quickly, but that requires you first have the hashes. Now think about attacking over the web and brute forcing it. Let's assume their brain dead and allow you to try all day long. How fast can you try passwords? Remember, you have to consider not only your connection speed, but their speed and the rate their server can answer.

          I recently tested hydra on a full duplex 100Mbit network with just two computers on it, one being an ssh server and the other the atta

    • they'll just add another word to it. such as ilovelasercats

  • Wont this just lead to new commonly used passwords while at the same time reducing the number of overall passwords possible. I would think they would need to regularly study what becomes common and ban those while unbanning old common passwords.
    • No. Occassionally new common passwords will pop up (perhaps "googleplus" on Google+ for example) and they'll ban it, but in general this action will force people to invent new passwords. The use of creativity will result in a broader set of passwords, not a different narrow set. As well, this is trivially automated. No need to do studies and manually ban.
    • by T_Tauri (883646)
      Hopefully pretty soon we will move away from using passwords to something else like one of those RSA key fobs and OpenID. Then people can remember a single password which combined with the dual factor makes a very strong proof of identity. OpenID gives you the same login everywhere which removes the other issue with secure passwords and trying to remember all of them, After all its better to trust a company that bases its business of dual factor authentication than a pile of post-it notes stuck to your m
    • I've always wondered whether a system that compares your hash to a hashdb and rejects it if there's more than a certain percentage of matches would be a good idea.

      This obviously wouldn't work for small populations, as the system could itself be used to identify passwords within the system... but for something the size of Hotmail's DB, it could work; especially if the feedback was a simple "you cannot use this password. Try again" for all collisions and blacklisted passwords.

      The system could even prompt use

  • Why not limit the number of password tries in a given time unit?

    • Because when, not if, Hotmail servers are compromised either externally or internally and the account hashes are collected in bulk, one can brute force the hashes all day long since nothing can detect failed attempts once your just running hashes against a text file.
    • by magarity (164372)

      That only works when trying to hack a particular account. If you want to send spam to everyone in some random account's contact list, you don't care whose contact list. So if you know some percentage of the accounts use the same thing for their password, that's a lot of contact lists, mission successful at only one password attempt per account.

  • I thought those passwords are encrypted, so how do they get the list of those common password? And isn't `recover your password` questions are common/flawed as having password in place?
    • I thought those passwords are encrypted, so how do they get the list of those common password?

      Common password lists do exist, this has been studied to death. I would imagine that the password is compared with a list that exists on the server before it is encrypted.

    • by pe1chl (90186)

      Whenever you type your password on the login form, it is available to them in plain text.
      (of course it is transmitted encrypted over the internet, but then it is decrypted by their server)
      If you are lucky they don't store your password in their database in plaintext, but each time you log in they have the opportunity to lookup your password in their insecure password list before encrypting it again to compare it with their database entry.

      • by bberens (965711)

        If you are lucky they don't store your password in their database in plaintext

        If you're really lucky they run your password through a one-way hash and store *that* into the database. Then, theoretically, anyone who gets access to your hash can come up with a password that will get them into the compromised system.. that is a password that happens to have the same hash, but not necessarily your actual password.

    • by magarity (164372)

      Yes but if several accounts all use the same password they all hash to the same value. If an administrator puts password 123456 into a known account and looks up the hashed password for that account, it's easy to then search for that hash among all accounts.

      • Yes, I assume they can sort by hashed password, and actually my question is how they ended up with "common password" if Hotmail encrypted the password. If there is a decrypt function, then I am curious how secure it is being hosted.

        And I suppose they are here to study the pattern, which included related passwords, eg. 123456 qualify as linear f(x) = x, therefore 1234567 will also be categorized as the same thing for study, no?
        If I am a hacker, I am interested in the pattern more than just common passwords,

        • They are using passwords from other sites. Sites that didn't do their security correct and stored passwords as plain text. The sample size of these exposed sites is large enough that they know what Americans currently choose as common passwords.
      • by Ferzerp (83619)

        Not if properly salted it will not.

        • by magarity (164372)

          Not if properly salted it will not.

          It should be obvious that this isn't the case or this analysis would be impossible.

        • Microsoft has the salt, so they will be able to check certain passwords. Hash 123456, salt it, compare with the table.

          The point of salt isnt to make the hashes impossible to do lookups on (otherwise you couldnt do logins), its to make existing rainbow tables worthless.

          • by vux984 (928602)

            Microsoft has the salt, so they will be able to check certain passwords. Hash 123456, salt it, compare with the table.

            But the salt isn't necessarily the same for every login.

            Many login systems create random salt for EACH account, and store it with the hash.

            The point of salt isnt to make the hashes impossible to do lookups on (otherwise you couldnt do logins),

            Of course.

            its to make existing rainbow tables worthless.

            If your login database is stolen, and you use the same salt for each account, then its a fairl

            • by Sheepy (78169)

              Many login systems create random salt for EACH account, and store it with the hash.

              This is one reason why unique salt for each account is preferable.

              It's better to generate a new salt for each password; i.e., a new salt should be generated whenever a password is modified. That way it is pointless to generate rainbow tables for a chosen account.

          • by Ferzerp (83619)

            Yes, but all the proposed things I was replying to were rainbow table type analyses.

            It's computationally cheap to compare a hash to a database of a few million hashes. It's much more difficult (not hard, but slow enough that it couldn't be used as an ad-hoc password rejector) to compare all passwords when a properly slow hashing algorithm with a unique salt per account is used.

  • This is something that public access UNIX systems and universities with a ton of students learned ages ago, when all it took was a guy running Crack on /etc/passwd (before passwords were shadowed.)

    Most operating systems have a small dictionary they check against so people using "12345" for something other than their luggage will be stopped immediately.

    History just repeats itself... websites are now learning what operating system makers learned in the early 1990s -- keep the passwords well encrypted, and dis

    • Therefore, keygen for SSH is OpenID?
    • by toejam13 (958243)

      Hotmail could go one step further. As opposed to just checking against a blacklist of common passwords, they could use a whitelist of acceptable password types. Must be 8 or more characters in length, must be mixed case and must contain one or more digits. Then you run that against the blacklist to weed out people picking "Passw0rd" or "t1nkerB3ll".

      • by Pope (17780)
        Yep, do both: blacklist the "bad" passwords, and add a strength requirement. Hell, all online services should have been doing this for YEARS already.
        • by mlts (1038732) *

          The reason online services have not bothered is because until now, it really didn't matter. Having security is expensive, and the PHBs believe anything security related has no ROI, so it doesn't get done.

          Now that attackers have snarfed password databases and made them public, online services are starting to actually bother with some security such as using salts and hashing passwords, enforcing basic password measures, and adding anti-brute force attack provisions, such as locking out IPs, tarpitting (where

  • What I find disturbing with features like this, is how the service (be it hotmail, linkedin, facebook, whatever) always assumes that when you receive crap from one of their users and want to report it so something is done about it, you also have an account yourself.
    I want to be able to report that I receive spam from one of their users WITHOUT having to create an account on their system.
    So the "my friend has been hacked" report should not be only in their mail user interface, but also in some publicly acces

    • by PickyH3D (680158)

      I want to be able to report that I receive spam from one of their users WITHOUT having to create an account on their system.

      The principle of the idea is sound, but the implications of them being--ironically--spammed to hide real problems is probably not appealing to them.

      I believe quite a number of them is not hacked by bruteforcing the password

      This is almost certainly true, but the features simply came out at the same time due to their relationship, and having your password brute forced is not a requiremen

  • by gurps_npc (621217) on Friday July 15, 2011 @03:20PM (#36778968) Homepage
    Far better than simply outlawing "you can't use your username as your password" Same goes for the silly "can't use the last password as your current one". I never understood the reasoning behind the time based password change. No one expects people to get a new key every six months for their home lock. No one expects someone to get a new ATM card every 6 months. Good passwords are worth keeping for years - as long as they actually are a good password. Are you supposed to be worried that you have given out your old password and forgotten about doing it? You can't stop an idiot from giving away his password. But you don't have to screw it up for the rest of us to help out the idiot.
    • I agree with ATM card or physical key, since you are aware of these things being taken away.
      However, password can be different. You never know MITM attack.

      I really hate changing my password every 6 months (my company policy is every 30 days, 15 different passwords). And the only way to remember my password to start my workstation is to have a pattern (sigh, add a different number once in a while), which is not very secure, I believe.

      • by JetScootr (319545)
        try this: use several unrelated dictionary words, strip the vowels, and make it look like math: prpl=rckt*grnt (purple = rocket * granite) or some similar small set of rules. passowrds are secure, you only have to remember three words, and once you've memorized the simple rules, you can even write down the three words without compromising the real password. You also get longer paswords (14 chars is current recommendation).
      • by gurps_npc (621217)
        As I said above (in response to another poster), this means that when you log in, it should show you when you last logged in and how many attempts were made over the past day/week.

        Your argument is to alert the owner, not to force the owner to do more make-work.

    • by simishag (744368)

      I never understood the reasoning behind the time based password change. No one expects people to get a new key every six months for their home lock. No one expects someone to get a new ATM card every 6 months.

      Physical tokens like keys don't require such frequent replacement because (in general) they are difficult to compromise without alerting the holder. Someone has to actually steal your key and take it to the hardware store without you noticing. Passwords, on the other hand, can be shoulder surfed, socially engineered, stolen with malware, stored in plain text in the database, shared with someone else, etc., and the user may have no clue his password is compromised. Also, if someone steals your key and robs

      • by gurps_npc (621217)
        As I said above (in response to another poster), this means that when you log in, it should show you when you last logged in and how many times over the past day/week.

        Your argument is to alert the owner, not to force the owner to do more make-work.

        • by simishag (744368)
          Only the most paranoid can remember if they last logged in at 8:15 or 8:25. It's not a credible method of deterring casual logins when the attacker already has the login info. Also, some form factors don't provide a simple means of returning additional information upon a successful login. Think of a Web service where the username and password are included in the request. You'll get a success or failure response and that's it. Even if the service returns more detail, there isn't always a sensible way to aler
    • People seldom try to open your locks without you finding out. And when they do manage to open a lock, you likely will change it pretty promptly.

      People may try to crack your password quite often without you finding out. And when they do manage to crack your password, you still don't always find out.

      • by gurps_npc (621217)
        You have a good argument ....

        for listing how many times in the past 24 hours someone tried to log in.

        You have a crappy argument for requiring people to change their password.

        Design the system around human limitations, don't force humans to do work that a computer does better.

  • Personally I think it's a good idea. I'm glad Hotmail is implementing this feature. I think it makes the internet as a whole a safer place. What's different about this is that most security advances center around the system; this centers around the fact that Hotmail is a small part of their users lives. This doesn't make Hotmail less hackable in any way, but it does (or is at least trying to) protect the user from having their reputation (is spam being sent from this account) hijacked when another service g
  • Won't this just cause new common passwords to arise?
    • That's possible.

      Any dictionary of "common passwords" is going to have to be adaptive.

      But the thing is, if you look at lists of common passwords, and of how many accounts can be compromised by them, the really common ones are really common.

      Hotmail have taken a long-overdue step here. I'd love to see all major online service providers follow suit, though if we could just get major email providers (Google, Hotmail, Apple, Yahoo, AOL), and Facebook (used for single sign-on), we'd be ahead of the game.

      Th

  • Approx 20 years ago I wrote code for a system at work to do this, list was 100's of possible, including acronyms from work, userids and real names, stupid stuff like variations of 'password', etc. We had to do it cuz the customer (nasa) considered it "old hat, everyone else is doing this, why aren't we?"
  • by Gripp (1969738)
    i can't imagine that the "my friend has been hacked" button will last. I would imagine that the hackers would want to flood that button to obscure the real attacks. and it wouldn't be that hard to script....
  • I'm sick of having to remember so many complicated passwords. Now that Hotmail is going to force me to change my password to something I can't remember, I'm just going to have to migrate to another email company. Hopefully I can get the same user name part as I have now (ron_damon).
  • by Pauldow (1860502) on Friday July 15, 2011 @06:25PM (#36780880)

    I've been using 8 asterisks for passwords so I can see what I'm typing.

  • I'd considered this sort of thing a while back -- there's really no need to use a set list of passwords.

    Assuming that the passwords are being hashed, you can have a lookup table where you store:
    (Password hash) + (Current # of accounts using that hash)

    By setting a threshold for the ratio of (Current # of accounts using a hash) to (Total # of accounts), you can reasonably control the average entropy of passwords in the system.

    For example, if you have 100,000 users in a system and set a threshold of 2%, the sy

  • People need to use the browser's password manager to avoid remembering or entering any passwords. There is no reason to keep it in your head when your computer is perfectly capable of doing it.

    The problem with the current implementation is that you still have to enter the master password every time you start the browser, which leads most people to just not set one, which leads to the passwords being stored on the disk unencrypted and easily stolen.

    The solution we need is to integrate authentication for the

    • by Red_Chaos1 (95148)

      As I noted above, the flaw in this is that not all sites use login fields that Firefox can capture. Imageshack is but one example of such a site.

    • by ghyspran (971653)

      You get that automatically if you have home directory encryption enabled, which both Ubuntu and OSX support out of the box in the install process. Then it doesn't matter what is stored on your disk in plaintext because it all gets automatically encrypted and decrypted when you log out.

      • by Chemisor (97276)

        You get that automatically if you have home directory encryption enabled

        No, you don't. While you are logged in, your password file will be decrypted and visible to anybody who wants to read it, like a malware app. Home directory encryption is there to protect against offline attacks only, when your hard drives are stolen. To protect against malware running as you the password file must not be accessible to you.

    • People need to use the browser's password manager to avoid remembering or entering any passwords. There is no reason to keep it in your head when your computer is perfectly capable of doing it.

      The problem with the current implementation is that you still have to enter the master password every time you start the browser, which leads most people to just not set one, which leads to the passwords being stored on the disk unencrypted and easily stolen.

      The solution we need is to integrate authentication for the password manager with the login process. Store the passwords in an encrypted file, with the account password as the key. A password daemon, like ssh-agent, running as root can securely load and decrypt your password file at login time. It will remain unaccessible except through a specific interface. The interface can authenticate the calling application by using socket credentials passing and allow the user to explicitly let the firefox password manager (which will have to be a separate process and executable for this purpose) access the passwords.

      This way the passwords are not accessible to any remote threat and are encrypted on disk to thwart any local threats. The user never has to enter any passwords except at login. Convenience and security.

      They already have this - it's called Keychain on Mac OS X

  • ...we should add basic security to the curriculum at schools? I'm sure I'll be parroting what others have said already, but all password systems need to allow letters (case mattering), numbers, and special characters. Further I think they should require them. Length limits are good, and 8 is a decent starting point. Obvious pass words should be blacklisted as being done here. Perhaps implement a check against other user info like birth-date and such to refuse passwords involving 2 and 4 year birth year date

  • Probably overlaps with:
    Twitter's List Of 370 Banned Passwords
    http://www.businessinsider.com/twitters-list-of-370-banned-passwords-2009-12 [businessinsider.com]

    Anyone have the actual Hotmail list?

  • For every rule one adds to the creation of passwords one decreases the number of possibilities. For example, if an 8 character password that must be letters and numbers you are removing 52^8 all character words and 10^8 all digit words. As the number of rules get larger the number of possibilities get smaller. I agree there should be a short list of banned passwords but if the list is too big it just helps cracking.

  • You assume incorrectly that the user cares about the security of his account always.

    I myself create occasionally accounts that I really don't care about them, I just need them for temporary means. In such use cases, a thousand rules and fields to fill are just pointless. And BTW, I always thought the "mystery question/answer" was the most stupid security measure ever invented, even for my main accounts.

    Warn the user: YES. Ban the simple or common passwords: NO.

    Also, a lot of people here on Slashdot ne
  • I.E. how Microsoft is actually doing this password analysis, because we would presume that they're smart enough not to store them in clear text so anonymous/lulzsec/etc can come steal them. I wouldn't be surprised if they just popped themselves up on the radar of hacker groups, "Hey guys, M$ must be storing about 50 million passwords in clear text!!1" Certainly, you can compare hashes to get a count of identical passwords, but then how do you know what those passwords actually are in order to ban them?

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...