Hotmail will let users report hacked accounts, and prevent them from setting weak passwords that make them vulnerable to being hacked in the first place.
Microsoft announced two new
features to protect Hotmail users
from email account hijackers as well as from
malicious email and spam.
Microsoft July 14 announced new
security features designed to track down when user accounts were compromised
and to make passwords more secure. The "My friend has been hacked!"
feature has been added under the "Mark as" menu in Hotmail to let
users notify the email provider if their friends' accounts appear to have been
Microsoft will soon start
evaluating passwords selected by users to decide if they are strong enough.
Weak passwords will be rejected, according to the company.
Users often receive strange
email messages from their friends, such as the ones claiming they are stranded
in a foreign country and need money as soon as possible or an odd one- or
two-line note about some product or service accompanied by a link.
It's usually the case that
the friend's email account has been compromised because they chose a weak
password or reused the password across multiple services, Graham Cluley, senior
technology consultant, wrote on the Naked Security blog
"At Hotmail, we know
that account hijacking is a big problem, and we continue to work hard to
prevent it," Dick Craddock, the Microsoft group program manager
responsible for Hotmail, wrote on the Inside Windows Live blog.
Recipients of emails from
clearly compromised accounts can report the messages and the sender as part of
the "My friend's been hacked!" feature, Microsoft said. Even messages
stored in the Junk folder can also be used to flag hacked friends. What's even "more
warming," according to Cluley, was that the feature would work even if the
sender was not a Hotmail user because the provider would be sharing information
with Gmail and Yahoo Mail.
system is always working in the background to detect unusual behavior,"
Craddock wrote, adding that accounts are flagged whenever bad behavior is
detected. "It's a bit like your credit card company putting a hold on your
account when they detect suspicious activity," he said.
Hotmail rolled out this
feature because when a user's Webmail account is compromised, friends are
generally aware the account has been hacked long before the original user is,
Craddock said. The report is combined with the other information collected by
the detection engine to determine whether the account really has been hijacked,
according to Craddock.
Hotmail's new feature is
designed to also make it quicker and easier for rightful owners to reclaim
their compromised accounts. Hotmail can use the warning to determine if the
account needs to be suspended and work with the original owner, Cluley said.
Reported accounts are generally returned to the user within a day, according to
Hotmail will also now
prevent users from creating weak passwords, according to Craddock. If a
customer tries to select one of the common passwords, just as
"password," "ilovecats," "gogiants" and
"123456," the system will reject the selection.
Blocking weak passwords
appears to be a good idea, as proven by Gawker, HB Gary Federal and the Justice
Department. All those breaches took advantage of the fact that users are still
and easy-to-guess passwords
. Users also are often reusing the same password
across multiple sites, so if an account is compromised, all the sites with the
same password become vulnerable.