Microsoft boosts Hotmail password reset security
New 'proofs' guarantee users can reclaim hijacked e-mail accounts
Computerworld - Microsoft on Monday added new security features to its Windows Live Hotmail Web mail service to help users regain control of hijacked accounts.
Citing a trend of spammers seizing legitimate accounts, Microsoft said it was kicking off new techniques to sniff out compromised Hotmail accounts, as well as giving users more ways to reclaim inboxes snatched by criminals.
Microsoft first touted the features last May, before it rolled out a massive Hotmail upgrade.
Rather than rely on an alternate e-mail address and a single secret question-answer pair for resetting an account password, Hotmail now lets a user set one or more "trusted PCs" or a mobile phone as proof that she is the real owner of the account, said Dan Lewis, a senior product manager with the Hotmail team.
"On other services, if a spammer has [an account's] password, he can change the [password reset] proofs," said Lewis. "But recognizing that more accounts are being targeted for comprising, we're not going on the assumption that you only need one proof to reset the password."
In one of the most famous abuses of a password reset feature, University of Tennessee student David C. Kernell got control of the Yahoo Mail account of former Gov. Sarah Palin during the 2008 presidential election by answering a single security question.
Kernell was later convicted on a federal felony charge and a federal misdemeanor charge.
Instead, Hotmail users can now tag multiple PCs -- Lewis wasn't sure of how many, only that more than one was possible -- as a proof. Users locked out of their account by a hijacker can regain control simply by logging in from one of the previously-set trusted machines.
To use a PC as proof, users must have installed Windows Live Essentials, a suite of for-free applications Microsoft offers for download.
Users can also enter a mobile number as another proof. That phone will then receive an unlocking code via a text message when the user asks for a password reset.
"People will always be able to get their account back," said Lewis. "Spammers are not going to be able to hack into their cell phone or their trusted PC."
With those proofs in place, more users will be able to reset their passwords without help from Microsoft support. "Medium-term, people will have a better self-service recovery path," Lewis said.
To add additional proofs, such as a trusted PC or cell phone, to a Hotmail account, users must click "Options" in the upper right of the Hotmail screen, select "More options..." from the drop-down menu, then click "View and edit personal information" under the subheading of "Mange your account." The proofs can be added under "Password reset information."
Microsoft isn't the only Web mail provider beefing up security. Last week, Google announced two-factor authorization that lets businesses protect Gmail log-ins by delivering a one-time code to a cell phone via text message.
Hotmail has had a similar feature, dubbed "single-use codes," for several months.
"We're making the proofs for users more secure so hackers can't lock them out," said Lewis.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!