> Hotmail is also working hard to eliminate accounts that have simple passwords such as “12345678″ and “password” by increasing security measures and not allowing simple passwords to be created.
Awesome. Not like I use Hotmail, but... So now if someone's password generator just happen to generate "weak" password not containing, for example, a digit (uh, even `openssl rand -base64 12` provides such outputs from time to time) user'll have to step away from usual password generation scheme and create special password just for hotmail.com.
Please, for the love of sanity, never ever forbid any passwords (except for too short ones, with a reasonable minimal length). Just freak user out so he'll think twice before using possibly weak password. You'll educate users this way instead of frustrating them.
(And never limit maximum length or set of possible characters, except for rare cases where there are technical obstacles requiring to do so - like non-8-bit-safe protocols. If user wants to authenticate with a passpoem, written in runic alphabet — let him have it.)
Curious, what is your reasoning behind allowing 123456 in order to keep some kind of crazy "random generator" purity, but at the same time requiring a minimum length? Suppose my pw generator randomly generates passwords of different lengths? It seems to me the same operating principle behind why you don't want to limit character selection/order applies to string length as well.
One of my banks limits passwords to something like 12 characters. I called and asked why, their response was "because it's hard enough to remember 12 characters!".
What use is a password generation scheme if it manages to create one of the most used, and thereby one of the worst, passwords? Pure randomness surely must make way for generating something useful?
If your password generation scheme doesn't allow for arbitrary restrictions on the types of characters then I think it is already not a real great scheme.
Maybe a good way of freaking users out (and educating them at the same time) would be a notice saying "it will take n minutes/hours/millennia for someone to hack this password", rather than the "weak - strong" indicator you see on most sign up pages.
The people I know who use hotmail these days all love it. Unfortunately an @hotmail.com email address in my field is just instantly regarded as unprofessional and laughable.
Oh, be serious. I still use my @hotmail.com account extensively. I've had it since before MS bought it, so I think it is more a sign of my longevity online than anything else. Most professional software engineers that I know feel the same way. My experience is that people who judge you by your email tend to be very young and inexperienced software folk.
The people I know who use hotmail these days all love it.
I couldn't tell if you were joking, so I just logged into my hotmail account after years. Wow, some things never change. What do your friends love more - the flashing banner ads or the Outlook-style frames with scrollbars?
I still have a Hotmail address as my 'spam catchall' address around the web. I've had it since probably 1998 and since a lot of old friends and accounts are still connected to it I'm not letting it go. It continues to serve its purpose well. I've watched Hotmail evolve over the years and honestly the current state of it is pretty good. Considering they are the #1 spam sink on the web I get virtually none in my in-box. Their interface is pretty slow at times but considering I don't live in there I don't mind.
I wouldn't write off a Hotmail address as a 'joke' though.. some of those who still have them may have had them a long, long time.
>Hotmail will put the account in recovery mode which will cause a password reset.
This sounds like it could be easily abused. How will the password reset work if the hotmail address is the only one a user has? What will he need to do to reclaim access to his account?
in comments to the original blog post, the PM for this feature mentions that the "my friend's been hacked" reports aren't enough by themselves to trigger this, they have to be accompanied by suspicious usage patterns on the alleged hacked account.
I think that this is a great idea, but there will need to be a few things in place to make it secure enough for use.
- Only friends that communicate "a lot" should be able to report it (and not repeatedly).
- If the account's password was compromised, then the attacker will enter the account recovery flow on next login attempt. So the AR flow will need to ensure that the user is not the attacker (SMS and e-mail that are trusted, based on age and usage, is pretty good).
But why not just create a system that will alert the user when a successful login was made from a new device on their account? And include an account lock link in the e-mail, so they can quickly lock their account from anywhere with cell phone access.
I've noticed that Hotmail's spam filtering has improved significantly in the past year or two (I still have an old Hotmail account). It may be 7 years to late to compete with gmail for new customers, but it's nice to see these improvements from Microsoft.
An added benefit of this is Exchange customers can take advantage of what Microsoft has learnt from filtering Hotmails spam by using FOPE (http://technet.microsoft.com/en-us/forefront/cc540243) as a cloud based spam filter. It's amazing how well it works
Has anyone ever seen Microsoft confirm a problem with Hotmail itself being "hacked"? I have an account with Hotmail I don't use and haven't done since 2007, I logged in recently to discover it had been sending spam emails. Every single person I know with an active or inactive Hotmail account has the same problem.
I have several old accounts, I just logged into a few and they haven't sent any mails. I have family that use Hotmail and don't get spam from them either.
Maybe you and your circle all happened to use some of those other big profile sites (Gawker, Sony, etc.) that have had their e-mails and password lists stolen...
haven't tried this feature yet. and don't expect to try any time in the future either. if my friend is hacked and keeps sending me email, i'll just block that person.
[+] [-] drdaeman|14 years ago|reply
Awesome. Not like I use Hotmail, but... So now if someone's password generator just happen to generate "weak" password not containing, for example, a digit (uh, even `openssl rand -base64 12` provides such outputs from time to time) user'll have to step away from usual password generation scheme and create special password just for hotmail.com.
Please, for the love of sanity, never ever forbid any passwords (except for too short ones, with a reasonable minimal length). Just freak user out so he'll think twice before using possibly weak password. You'll educate users this way instead of frustrating them.
(And never limit maximum length or set of possible characters, except for rare cases where there are technical obstacles requiring to do so - like non-8-bit-safe protocols. If user wants to authenticate with a passpoem, written in runic alphabet — let him have it.)
[+] [-] hammock|14 years ago|reply
[+] [-] tlrobinson|14 years ago|reply
sigh
[+] [-] lawn|14 years ago|reply
[+] [-] eli|14 years ago|reply
[+] [-] sstarr|14 years ago|reply
[+] [-] xiaoqmabg|14 years ago|reply
[deleted]
[+] [-] cdcarter|14 years ago|reply
[+] [-] synnik|14 years ago|reply
[+] [-] revorad|14 years ago|reply
I couldn't tell if you were joking, so I just logged into my hotmail account after years. Wow, some things never change. What do your friends love more - the flashing banner ads or the Outlook-style frames with scrollbars?
[+] [-] 51Cards|14 years ago|reply
I wouldn't write off a Hotmail address as a 'joke' though.. some of those who still have them may have had them a long, long time.
[+] [-] a1k0n|14 years ago|reply
[+] [-] mattgreenrocks|14 years ago|reply
[+] [-] jrockway|14 years ago|reply
[+] [-] planb|14 years ago|reply
This sounds like it could be easily abused. How will the password reset work if the hotmail address is the only one a user has? What will he need to do to reclaim access to his account?
[+] [-] contextfree|14 years ago|reply
[+] [-] mathrawka|14 years ago|reply
- Only friends that communicate "a lot" should be able to report it (and not repeatedly).
- If the account's password was compromised, then the attacker will enter the account recovery flow on next login attempt. So the AR flow will need to ensure that the user is not the attacker (SMS and e-mail that are trusted, based on age and usage, is pretty good).
But why not just create a system that will alert the user when a successful login was made from a new device on their account? And include an account lock link in the e-mail, so they can quickly lock their account from anywhere with cell phone access.
[+] [-] tshtf|14 years ago|reply
[+] [-] rodh257|14 years ago|reply
[+] [-] citricsquid|14 years ago|reply
[+] [-] mattgreenrocks|14 years ago|reply
I know plenty of people that have active and inactive Hotmail accounts and I don't get spam from them.
[+] [-] dangrossman|14 years ago|reply
Maybe you and your circle all happened to use some of those other big profile sites (Gawker, Sony, etc.) that have had their e-mails and password lists stolen...
[+] [-] benologist|14 years ago|reply
[+] [-] rocktronica|14 years ago|reply
[+] [-] burke|14 years ago|reply
[+] [-] kaiyi|14 years ago|reply
[+] [-] Empedocles99|14 years ago|reply
[+] [-] funkah|14 years ago|reply