Increasingly, it seems like you can’t read the news without seeing a headline about a security issue exposing customer account information for criminals to exploit.
As a guy who works every day to keep the Microsoft account system (formerly Windows Live ID) secure, each time I read something like this my heart goes out first to the people whose accounts are victimized by these criminals, and secondly to my colleagues at the compromised companies. Bad guys only have to be right once, defenders have to be right 100% of the time – and I’ve been impressed by the competence and dedication of my peers across the industry.
Of course, as has been extensively covered, these attacks shine a spotlight on the core issue – people reuse passwords between different websites. This highlights the longstanding security advice to use unique passwords, as criminals have become increasingly sophisticated about taking a list of usernames and passwords from one service and then “replaying” that list against other major account systems. When they find matching passwords they are able to spread their abuse beyond the original account system they attacked.
We don’t blog much about our security work – no need to give the bad guys more ideas on how to attack our customers. However, given the events of this past week, we’ve had enough questions that I wanted to take the time to share at a high level how we protect our customers from these attacks, and re-emphasize what each of you can do to better protect yourself.
Let’s start with how we find out about these customers who are at risk.
We regularly get notified of lists of compromised external account info (email addresses and/or passwords from other networks) from different sources. They contact us so that we can make sure our customers are protected if they use the same password for their Microsoft account. Sometimes it’s one of the many worldwide law enforcement agencies who reaches out. Sometimes it’s an ISP. Sometimes it’s another company who runs an identity system. And occasionally lists are published on public websites for the world to see.
The amount of detail and fidelity of these lists of customers varies – often these are incomplete or encrypted lists that don’t put real customers at risk. But occasionally they are lists of complete usernames and passwords that are a real threat to our customers.
When we get a list, first, we check to see if it actually matches any accounts and passwords in our system. This is done in an automated and secure way so no human actually sees the account info of our customers.
You’d be surprised how often the lists – especially the publicly posted ones – are complete garbage with zero matches. But sometimes there are hits – on average, we see successful password matches of around 20% of matching usernames. A recent one only had 4.5% overlap. This is actually exciting because it means that, on average, 80% of our customers are following safe password practices, and this reflects a growing sophistication in our customers.
Next, we look to see if there is evidence of criminal activity, like sending spam. If we do see signs of criminal activity, we suspend the account and ask the rightful owner to go through account recovery to regain control. In other cases we simply ask the customer to change their password (before any harm can be done).
Occasionally we get information about a set of customers, but there isn’t enough account information to identify who has reused passwords and is therefore at risk. Then we have a judgment call – do we ask 100% of those customers to reset their passwords, even though only 20% are probably at risk? Or do we leave the 20% at risk to avoid inconveniencing the 80%?
Where there is a credible threat, the answer is simple – we err on the side of protecting customers. This is a drag for those of you who are very careful with your passwords, and I do apologize for that inconvenience, but I hope you forgive us for protecting your neighbor. It might be you some day.
If your account is ever on one of these lists, here’s what you will see when you next sign in to Hotmail, SkyDrive, Xbox or another Microsoft service with your Microsoft account. (You might also see something like this if you have a password that is too common).
When you see this, please pardon the inconvenience and take a moment to change your password to a new, unique password.
Follow the simple steps below to better protect yourself from criminals looking to take advantage of you.
Also remember that we will never send you email asking for your password or other security or account information. Any email asking for this information is always a phishing scam designed to lure you into disclosing your password or other account information.
As a final note, of course we have security systems that are constantly evolving to block unauthorized access to your account even if the attacker has your password. These systems reason about normal patterns of login, location, and other factors, and will block unauthorized access or at times will provide an additional identity challenge to make sure that you are really you. But criminals do sometimes get around these systems, so having good, strong, unique passwords and following our security tips is always a good idea.
Thanks for helping us keep you safe.
Eric Doerr Group Program Manager – Microsoft account
Is SkyDrive protected witjh Microsoft Forefront, or something like it?
Hi Eric - how do you suggest I deal with the following situation.
I have rebuilt my pc since the trusted installations started so the old pc doesn't exist. I can't add a new trusted pc because the system doesn't recognise that I have installed Live Essentials and you mention it takes 30 days to do this anyhow. I cannot add a new payment method to my hotmail account because of this and the old one has expired and my account renewal date was yesterday. What can I do?
I have to say that I am not a fan of associating live essentials and my hotmail account. This should be optional and not compulsory and not part of the security. These are not applications I intend to use and I cannot understand why Microsoft would make them compulsory. (in addition to this I have had 2 weeks of stuck windows updates and have only just managed to clear them after hours of effort so Microsoft is not top of my favourite companies at the moment! (this is from a long term user, support professional and MCP)
Thank you in advance for your help
The perfect!These articles written too great,they rich contents and data accurately.they are help to me.I expect to see your new share!
Herve Leger Dresses: www.officialherveleger.com
herve leger: www.officialherveleger.com/.../120.html
Fashion Blog: fashionbloge.weebly.com
As an end user, it is always happy to see the improvement of Microsoft account particular on leverage the security level. However, I’m having bad experience due to such high security.
My Live account being blocked, however, I cannot unblock after try all methods searched from internet and even paid for “professional” expertise advice. Unfortunately, I still cannot verify the ownership.
This is not a good experience you can imagine while you were rely on a trust account to manage all your major activities, and you are not able to access due to some reasons in one day. The ever worst thing is you are not able to find any support after failed to verify the ownership of the account by filling forms. You are lost all your connection in a minute
I share my experience certainly I would like to seek your advice how to unblock my account by direct communicating with Windows Live Support team instead filling the standard form
Other than that, it would always appreciate for customer to see the caring at the same time of leverage security level. Trust, reliability, stable, care and support I believe are the key elements of sustainable of business particular on service provider
My account is so secure that I can't access my billing information anymore.
I also can't add a trusted computer (is that the right name?) although I use IE9 and have Windows Live Essentials installed (now it's called Windows Essentials 2012, still nothing changed).
Hello Eric! I use Hotmail for some time, I would like to leave my comment about Hotmail here.
First, hotmail should show when and where they were made last accesses your account, preferably showing the computer's IP and the city. I also would like hotmail "warn" if there is simultaneous access my account.
Finally, when my email was accessed from a "weird IP", a message was sent to my phone (and an email to my secondary email) with a code to allow entry into Hotmail.
Outside the security issue, I would LOVE if there was a translator in Hotmail. To translate emails from other languages without having to open any other web page.
Excuse my English pesimo. Please try to understand as much and please take my comments into consideration, I hate having to leave Hotmail due to security.
Hey Eric, I think it is great that you are working to improve the security of Microsoft's Accounts. I am a security consultant myself, so I understand the importance of all this. I am a little confused about the method you describe that you offer to the owner of a compromised account however. In the screenshot above, it shows that you force the user to change their password, if you think the account may have been compromised. This is great, but you should ask for more info than just their current password to prove it is their account, because if the password was leaked than the attacker or anyone else could also be changing the password, then the real owner would not be able to get back into the account Most likely the next time the user tries to log in with the old password, Hotmail should then ask them if they had changed their password, but I think there should be more challenges posed before allowing the user to change their password, thereby affirming that the owner is the one changing the password. Also, I am not even going to get into the 16 character limit on passwords, you must already know that this must be changed as soon as possible, Please do whatever you can to allow for longer passwords, This should be the number one item on the list for Hotmail Security improvements, as many users are now using password managers such as Last Pass (which enable us to use longer, and perhaps hard to remember passwords). Thanks for your efforts.
What about 2-Factor Authentication. I have it on my email and I like the extra security it offers. You just telesign into your account and you’re good to go. I'm hoping that SkyDrive will start to offer this awesome functionality. In reality this should be a prerequisite to any system that wants to promote itself as being secure.
It's nice that you guys are adding all these extra layers of protection account but it's totally useless for someone like myself. Overall it has become very troublesome and makes it harder for me actually. As a user who hasn't used their hotmail account that much in the past year or 2.
I've been blocked out of my hotmail account either this year or near the end of last year. My account was comprised and used to spam I would assume and was locked because of that. I really didn't use the account much for e-mails but it was my xbox live account and games lives for window account. I wasn't even using it as my xbox live account for the most part and so most of these new security features went by without me actually knowing to begin with. It's currently impossible for me to even retrieve my account back because I barely used it and the long form that I have to fill out I can't remember half the answers to those questions like the last xbox live code i used or the last email i sent.
It's very frustrating that there's no way I can actually contact a live person that I can talk to get help about any this. It's even worst that microsoft won't even add a support line to call about any of this because it's a free service they give away even though there's a lot of people that use these accounts to purchase items and use with microsoft .
In addition to the page that you described, asking customers to create a new strong password, the Hotmail forum on Answers is full of questions from customers who are receiving a slightly different pop-up page asking for additional security information such as: Phone number (many customers do not wish to provide their phone number for privacy reasons), Alternate email address (some customers do not have an alternate email address), Trusted PC (requires that one Install Windows Live Essentials, and not all customers wish to do that), and a secret question.
Many customers are reluctant to respond to this pop-up page because it is similar to many phishing messages that have been documented. Can you confirm that the pop-up page asking for additional security items is legitimate?
Also, are all four of the above security items required (to make to pop-up page cease to appear at sign-on), or can a subset be provided?
Thanks for the follow-up and I am delighted to hear that the wait period to reset security proofs will be dropped to a uniform 30 days. That is excellent news and (IMO) a reasonable compromise.
I suspect I fell into this trap because the additional proofs (PC, phone number for texts etc.) were added after I set up my Windows Live ID and before rigorous use of the security proofs was put in place to monitor changes in contact info.
One change I strongly recommend (if it is not now in place): If one changes their primary e-mail address away from one that is in the security proof list then prompt the user to also amend the security proof list! That would reduce the number of individuals caught out the way I was.
Keep up the great work!
Eric, you mentioned Trusted PC above. On the subject of preventative security measures, would there be any way to provide the option of using the Trusted PC feature (which I have just now enabled) as a form of two-factor authentication, i.e. so that it would confirm a login, instead of simply using it after the fact for account/password recovery ? I realize it would only be useful to a minority of us users who access our mail from a single (home) computer and not cell phones, but it would still be a *very* strong security option for such individuals, no ? Just curious.
@Eric Doerr, thanks for the heads up. It looks like the issue is resolved. The last email I received from Windows Team Blog about you accepting my invitation is not rendered as suspicious by the SmartScreen filter. (-8
@ItbytheBay - Thanks! The password checker is great isn't it!
I'm sorry to hear about your challenges. We recommend that everyone add several proofs to their account - to prevent exactly the situation you are in. A phone number (we now support voice in addition to text), and any additional email accounts you have, plus a trusted PC for each of your primary machines is the best defense and ensures something like this doesn't happen.
We have several mechanisms in production now that ask customers to make sure they've provided this info, and periodically remind customers to make sure it's up to date.
When some combination of events happen and you lose access to all your proofs, you can mark your proofs as "lost." This bursts a notification to all the proofs on file confirming that you wanted to reset your proofs and makes you wait 30 days until we reset your account. This is designed to be long, so that a bad guy with just your password can't mark your proofs as lost and take your account if you happen to be on vacation or don't check your phone or email for a few days. If you see one of these notifications you can easily cancel it before a bad guy can seize control.
The current behavior, as you note, if you have >1 proof is to make you wait 6 months. But we agree that this is too long and have already initiated a change to have the wait period always be 30 days, regardless of how many proofs you have. In about a week this change should go live - however many days you've already been waiting will "count" towards the 30 days.
Good luck getting through this and thanks for using the products!
@Corrine - agreed. The more value there is in a system, the more incentive the bad guys have to attack. On the plus side, the bigger the system, the more telemetry there is available to see bad behavior and cross correlate.
@abm - Thanks for the feedback on Smartscreen. I've taken your info and passed it along to the team working on that area.
I've also accepted your friend request. I'll get details offline to see if I can help on your other issue ok?
The link to the "secure password checker" embedded in your "Create strong passwords" is a terrific resource to pass on to clients, friends and family!
My personal issue with the way Microsoft Accounts are managed comes down to the security info reset policy. A while back I changed jobs and lost access to the two e-mail addresses (both work-related) I had used as the e-mail addresses for my security info. I did change the primary e-mail address associated with my Microsoft (then Windows Live) account and everything seemed to be going smoothly until I recently tried to make some account changes and found that I had not received any security prompt to confirm the new address and now that I no longer have access to the old e-mail addresses have no way to make account changes beyond waiting *six* months for the old addresses to be purged.
Without any access to a human being or other way to verify my identity - even through my Technet subscription - the Microsoft account seems to be a precarious tool upon which to rely for authentication to important data stored in Microsoft's cloud apps. Don't get me wrong. I am a heavy user of Skydrive and and particularly please with the integration into OneNote. I just really wish changing my security info would not take half a year!
Thanks for sharing insight about security protocols. Please allow me to send you a private email for me to share what's going wrong with my inbox.
Thank you Eric for considering our comments. I would like to share some thoughts regarding SmartScreen Filter which I informed Chris Jones (MSFT) via email. Several months ago, we exchange emails about SmartScreen filtering and how they are marking the automated email notifications from windowsteamblog.com as suspicious. Unfortunately, the issue exists till day.
• I have a separate folder for Windows Team Blog emails: i50.tinypic.com/28iro7b.png
• I have wvblog(at)microsoft.com in my safe senders’ list: i47.tinypic.com/13yqae.png
• When I open the email message in browser (mail.live.com) SmartScreen filter says: "This message looks very suspicious to our SmartScreen filters, so we've blocked attachments, pictures, and links for your safety. "
• Finally, when I click "Show content", its still looking suspicious: "This message looks suspicious to our SmartScreen filters."
Please take the required actions to resolve this issue.
Thank you for improving Windows Live Hotmail. ( - 8
Considering that the year-old article, securitygarden.blogspot.com/.../hotmail-security-how-to-report-hacked.html is still getting 400+ page views/week on my small blog, it appears that the problem of compromised Hotmail accounts is an ongoing problem.
With the Microsoft account system connected not only to our e-mail account, but also SkyDrive and any product or service associated with that account (i.e., MSDN, TechNet) is it any wonder that it is a target? The more features Microsoft can provide to increase the security of our Microsoft account, the better, particularly the capability of longer passwords and the use of special characters. With the ability to use the Microsoft account instead of a local account on Windows 8, it is all the more critical that enhancements be provided.
Thanks for the reply, Eric, and for your interest & work both on increasing pwd length and on implementing two-factor authentication in Hotmail (eventually) ! (Btw, I hope that you will allow TFA to have an optional month-long validity, as Gmail does, for people accessing accounts from a single home computer -- like me.) :-)
@MondayBlues - Thanks for the feedback. There are a couple different points here.
First let me comment on the spirit of the post - I 100% agree that prevention is far better than reaction, this is how we focus and prioritize our efforts and we are working hard on this.
On the specifics...
Password length - We are working on increasing this. Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it's a bigger change than it should be and takes longer to get to market. It's also worth noting that the vast majority of compromised accounts are through malware and phishing. The small fraction of brute force is primarily common passwords like "123456" not due to a lack of complexity.
Two-factor auth - Over the last 6 months we have rolled out two-factor authentication in several systems that use Microsoft account. For example, you need to use two-factor auth to buy stuff on xbox.com, to remotely fetch files from other computers on SkyDrive and more. We are learning a lot from this and have more in the works. We see two-factor auth as being an increasingly important piece of our protection suite.
Finally, we really do listen to all the comments that come in on the blog and the feedback does at times cause us to rethink and reprioritize the order of our work. Please keep the feedback coming.
I'm somewhat confused how Live/Hotmail can, on the one hand, encourage me to make a strong passcode and such, while, OTOH, preventing me from having a passcode over 16 characters (?!). Yahoo, Gmail, Hushmail, Yandex, MyOperaMail, and just about any other provider I know allows passcodes in excess of 30 characters. What's Hotmail's rationale for limiting the passcode in an age where brute force attacks and other means of gaining entry get easier and easier ?
And why does Hotmail not allow use of special characters (#, $, %, etc.) in security question answers. That, too, is allowed by the above providers and others and adds a layer to the security, no ?
And two-factor authentication would be nice to make logins that much more secure, rather than only having the cell phone number on file for regaining access to a compromised account. I much prefer the ounce of prevention to the pound of cure, don't you ?
I've read Blog Team members occasionally say, "Thanks for the suggestion. We'll look into that." But nothing ever seems to get done along these lines. No explanation for the passcode limit (the shortest of any email provider I know). No two-step authentication. (Even Yahoo -- blech ! -- didn't wait too long to come out with it after Gmail did !) What on earth could be Live's excuse for the delay ? All I see on various other email forums are people complaining of being locked out of their Hotmail accounts or having them hacked and used to send spam, etc. How can such an attacked, hacked and cracked email service spend so much time coming out with more and more bells and whistles and not implement some of the security features I mentioned above that most/all other providers have ??
You know, back in the old days my grandpappy used to live in an old country house. He never locked the doors but also never had valuables stolen. But no one would say that his house was thereby *secure.* It simply wasn't *targeted.* If it had been, he'd have been cleaned out. Well, I feel the same way about my Hotmail account. It has some protective features but nothing like the protection that a dead-bolt (longer passcodes) or an electronic security system (two-factor authentication) would provide.
Hotmail is a great service, and I'm delighted with the measures it *does* have, and I'd like to trust & use it more. But I'm NOT going to trust it with my important emails or store any files there (Skydrive) until I see more stringent pro-active (not reactive) security features.