Microsoft announced two new features to protect Hotmail users from email account hijackers as well as from malicious email and spam.
Microsoft July 14 announced new security features designed to track down when user accounts were compromised and to make passwords more secure. The "My friend has been hacked!" feature has been added under the "Mark as" menu in Hotmail to let users notify the email provider if their friends' accounts appear to have been compromised.
Microsoft will soon start evaluating passwords selected by users to decide if they are strong enough. Weak passwords will be rejected, according to the company.
Users often receive strange email messages from their friends, such as the ones claiming they are stranded in a foreign country and need money as soon as possible or an odd one- or two-line note about some product or service accompanied by a link.
It's usually the case that the friend's email account has been compromised because they chose a weak password or reused the password across multiple services, Graham Cluley, senior technology consultant, wrote on the Naked Security blog.
"At Hotmail, we know that account hijacking is a big problem, and we continue to work hard to prevent it," Dick Craddock, the Microsoft group program manager responsible for Hotmail, wrote on the Inside Windows Live blog.
Recipients of emails from clearly compromised accounts can report the messages and the sender as part of the "My friend's been hacked!" feature, Microsoft said. Even messages stored in the Junk folder can also be used to flag hacked friends. What's even "more warming," according to Cluley, was that the feature would work even if the sender was not a Hotmail user because the provider would be sharing information with Gmail and Yahoo Mail.
"Our compromise-detection system is always working in the background to detect unusual behavior," Craddock wrote, adding that accounts are flagged whenever bad behavior is detected. "It's a bit like your credit card company putting a hold on your account when they detect suspicious activity," he said.
Hotmail rolled out this feature because when a user's Webmail account is compromised, friends are generally aware the account has been hacked long before the original user is, Craddock said. The report is combined with the other information collected by the detection engine to determine whether the account really has been hijacked, according to Craddock.
Hotmail's new feature is designed to also make it quicker and easier for rightful owners to reclaim their compromised accounts. Hotmail can use the warning to determine if the account needs to be suspended and work with the original owner, Cluley said. Reported accounts are generally returned to the user within a day, according to Craddock.
Hotmail will also now prevent users from creating weak passwords, according to Craddock. If a customer tries to select one of the common passwords, just as "password," "ilovecats," "gogiants" and "123456," the system will reject the selection.
Blocking weak passwords appears to be a good idea, as proven by Gawker, HB Gary Federal and the Justice Department. All those breaches took advantage of the fact that users are still using weak and easy-to-guess passwords. Users also are often reusing the same password across multiple sites, so if an account is compromised, all the sites with the same password become vulnerable.