> Hotmail is also working hard to eliminate accounts that have simple passwords such as “12345678″ and “password” by increasing security measures and not allowing simple passwords to be created.
Awesome. Not like I use Hotmail, but... So now if someone's password generator just happen to generate "weak" password not containing, for example, a digit (uh, even `openssl rand -base64 12` provides such outputs from time to time) user'll have to step away from usual password generation scheme and create special password just for hotmail.com.
Please, for the love of sanity, never ever forbid any passwords (except for too short ones, with a reasonable minimal length). Just freak user out so he'll think twice before using possibly weak password. You'll educate users this way instead of frustrating them.
(And never limit maximum length or set of possible characters, except for rare cases where there are technical obstacles requiring to do so - like non-8-bit-safe protocols. If user wants to authenticate with a passpoem, written in runic alphabet — let him have it.)
Curious, what is your reasoning behind allowing 123456 in order to keep some kind of crazy "random generator" purity, but at the same time requiring a minimum length? Suppose my pw generator randomly generates passwords of different lengths? It seems to me the same operating principle behind why you don't want to limit character selection/order applies to string length as well.
I thought that a minimum limit's there just to ensure sanity of a generator. You can't generally predict how a hash function will behave, but you can certainly define a minimum output length. What I was thinking about, that the restrictions are too strict, and there's a gap between what's secure and what looks secure.
I believed that it's generally expected that a password generator would produce passwords of a certain minimal length. At least I considered that nobody would write a generator (intended for a real-world usage) that'd produce, say, 3-character password for some edge case.
However, you sound reasonable. This leads us right to the extreme case - should empty passwords be allowed? (Considering that the user will be bugged like hell before letting him to do so.)
I remember creating a blank password on Mac OS9 in grade school. It was clearly a bug that allowed me to do it, because the minimum password length was set to six characters, if I recall correctly. After I set the null password, I couldn't change it, but it worked fine for logging into my account. I was too embarrassed to ask the admin for help, so I was stuck with no password for about two years.
One of my banks limits passwords to something like 12 characters. I called and asked why, their response was "because it's hard enough to remember 12 characters!".
My bank says that too but it's really just 6 numbers because the characters map to the same numbers as on a telephone's key pad. So, if your password is ABC123, it's really just "222123", and both will work to log in.
My bank only allows passwords to be made of 5 numbers.
The interesting thing to note is that if they had any significant problem with this scheme, they would have changed it. Maybe we worry too much about the strength of passwords. The password verification process may be hardened enough, even for the needs of a bank.
What use is a password generation scheme if it manages to create one of the most used, and thereby one of the worst, passwords? Pure randomness surely must make way for generating something useful?
If your password generation scheme doesn't allow for arbitrary restrictions on the types of characters then I think it is already not a real great scheme.
Maybe a good way of freaking users out (and educating them at the same time) would be a notice saying "it will take n minutes/hours/millennia for someone to hack this password", rather than the "weak - strong" indicator you see on most sign up pages.
The people I know who use hotmail these days all love it. Unfortunately an @hotmail.com email address in my field is just instantly regarded as unprofessional and laughable.
Oh, be serious. I still use my @hotmail.com account extensively. I've had it since before MS bought it, so I think it is more a sign of my longevity online than anything else. Most professional software engineers that I know feel the same way. My experience is that people who judge you by your email tend to be very young and inexperienced software folk.
I'm in the same boat as you as far as how long I've been using hotmail. I've been migrating more and more to gmail, but I've got that hotmail account tied to so much shit over the years, I'm not even sure what I'd be losing if I ditched it completely.
The people I know who use hotmail these days all love it.
I couldn't tell if you were joking, so I just logged into my hotmail account after years. Wow, some things never change. What do your friends love more - the flashing banner ads or the Outlook-style frames with scrollbars?
I still have a Hotmail address as my 'spam catchall' address around the web. I've had it since probably 1998 and since a lot of old friends and accounts are still connected to it I'm not letting it go. It continues to serve its purpose well. I've watched Hotmail evolve over the years and honestly the current state of it is pretty good. Considering they are the #1 spam sink on the web I get virtually none in my in-box. Their interface is pretty slow at times but considering I don't live in there I don't mind.
I wouldn't write off a Hotmail address as a 'joke' though.. some of those who still have them may have had them a long, long time.
> your choice in email host is a reflection on you
Actually my choice to use hotmail is a reflection of me X years ago when I created the account. It is also a reflection of the state of free web based providers X years ago. You don't know the value of X, which makes it difficult to draw any conclusions from my email address.
I guess it's also a reflection of the current me in that I don't see the point of going through the hassle of ditching an email address just to have something slightly more trendy (and slightly more usable).
See, I already learned something about you. Ditching an email address doesn't have to be a hassle.
Tip: Hook your old and new accounts into Thunderbird with IMAP (IMAP is key. No POP3). Drag-and-drop your folders full of email from Old to New. Wait for it... you're done! Now turn on forwarding in your old email account, and never log in to it again.
Ah yes, the belief that powers Western capitalism: your choice in trivial matters somehow becomes part of your perceived identity.
What does it mean? Can you answer in a way that isn't couched in the fashion of the day? There was a time when a Hotmail account was not looked down upon. What makes this instant in time so different, besides fashion?
What on earth does that have to do with capitalism? And what makes you think your choice of how to present yourself doesn't become part of how others perceive you?
I don't see how the article applies here, as we're not discussing a matter of significance. Were we discussing something that affected people's lives, it'd be appropriate. But I was being deliberately irreverent towards the notion that one should take care to choose the 'right' email provider. After all, its a fucking email provider. It sends and receives email. That's it. To talk about it as if it is something to take seriously is goofy.
I wasn't advocating choosing the "right" provider (though you should certainly try to pick a good one, for your own sake!).
I have simply found that people's technical competence generally (GENERALLY) corresponds to what domain they are using. It's an observation, not a fashion trend.
Hotmail ruined its reputation in a few ways, but the primary way was how they would embed advertisements in your emails. So if you receive an email from an @hotmail person, you also receive a cute little ad!
That, and it took a bit for Hotmail to catch up on having huge mailboxes. It used to be that if you weren't on gmail or a private provider, you probably couldn't handle getting 3-4 CAD files a day for weeks at a time.
>Hotmail will put the account in recovery mode which will cause a password reset.
This sounds like it could be easily abused. How will the password reset work if the hotmail address is the only one a user has? What will he need to do to reclaim access to his account?
in comments to the original blog post, the PM for this feature mentions that the "my friend's been hacked" reports aren't enough by themselves to trigger this, they have to be accompanied by suspicious usage patterns on the alleged hacked account.
I've noticed that Hotmail's spam filtering has improved significantly in the past year or two (I still have an old Hotmail account). It may be 7 years to late to compete with gmail for new customers, but it's nice to see these improvements from Microsoft.
An added benefit of this is Exchange customers can take advantage of what Microsoft has learnt from filtering Hotmails spam by using FOPE (http://technet.microsoft.com/en-us/forefront/cc540243) as a cloud based spam filter. It's amazing how well it works
I think that this is a great idea, but there will need to be a few things in place to make it secure enough for use.
- Only friends that communicate "a lot" should be able to report it (and not repeatedly).
- If the account's password was compromised, then the attacker will enter the account recovery flow on next login attempt. So the AR flow will need to ensure that the user is not the attacker (SMS and e-mail that are trusted, based on age and usage, is pretty good).
But why not just create a system that will alert the user when a successful login was made from a new device on their account? And include an account lock link in the e-mail, so they can quickly lock their account from anywhere with cell phone access.
Has anyone ever seen Microsoft confirm a problem with Hotmail itself being "hacked"? I have an account with Hotmail I don't use and haven't done since 2007, I logged in recently to discover it had been sending spam emails. Every single person I know with an active or inactive Hotmail account has the same problem.
I have several old accounts, I just logged into a few and they haven't sent any mails. I have family that use Hotmail and don't get spam from them either.
Maybe you and your circle all happened to use some of those other big profile sites (Gawker, Sony, etc.) that have had their e-mails and password lists stolen...
Hm, how strange. I've not used the account for anything other than msn, a google search for it only yields results from 2 forums where I've posted it (in "add your msn" topics) from ~2006 and the password is what was used for a variety of other things at the time, none of which were "hacked", so I always assumed it was the result of an internal Hotmail breach. How strange, maybe it was just me and my friends then. Confirmation bias at work...
haven't tried this feature yet. and don't expect to try any time in the future either. if my friend is hacked and keeps sending me email, i'll just block that person.
Awesome. Not like I use Hotmail, but... So now if someone's password generator just happen to generate "weak" password not containing, for example, a digit (uh, even `openssl rand -base64 12` provides such outputs from time to time) user'll have to step away from usual password generation scheme and create special password just for hotmail.com.
Please, for the love of sanity, never ever forbid any passwords (except for too short ones, with a reasonable minimal length). Just freak user out so he'll think twice before using possibly weak password. You'll educate users this way instead of frustrating them.
(And never limit maximum length or set of possible characters, except for rare cases where there are technical obstacles requiring to do so - like non-8-bit-safe protocols. If user wants to authenticate with a passpoem, written in runic alphabet — let him have it.)