WARNING - Hotmail Accounts Hacked

[Inchessi]

I have a work related email, but I kept Hotmail for personnel conversations and for private internet purchase receipts. It was my personnel account that sent the email to my supervisor, and her supervisor, and colleagues.

[Hachiman]

If I may add my $0.02 worth: when it comes to password security, I personally believe that a password management program is an invaluable tool towards maintaining your online security. I use a password manager that hides my passwords for all my internet sites behind 256-bit encryption. In addition, all of my passwords are randomly generated by that same program, using capital and lower case letters, numbers and symbols. The sites that I'm most paranoid about have randomly-generated passwords that are 25 characters long before being encrypted. Try breaking that password.
I have my password database backed-up on two removable devices and I update the backups on a regular basis. As a result, I actually don't know my email password... or my Xmarks password, etc. It's securely locked away from prying eyes.

Oh, speaking of "prying eyes", I would also recommend to anyone who is interested in maintaining their online security that you set your web browser to NOT remember passwords. Many browsers (Internet Explorer is particularly guilty of this) store your passwords in a file that is located in the same place on your computer, under the same file name, and in an un-encrypted state. This makes it VERY easy for any malicious software to pluck the stored passwords from that file and send them off to the programmer who created that software. If you have to type in the password whenever you visit a website (or paste it in from your password management software, as I do), there are no stored passwords on your computer for malicious software to steal.

cheers!

[Deirachel]

The sad truth is the current method of designing passwords are actually easier to crack for a computer program than most think. Encryption makes it harder for a human, but it doesn't make a difference for a bot to do it. A bot literally just guess at hundreds to thousands of passwords a second.

This comic from xkcd explains the problem.

[Hachiman]

The sad truth is the current method of designing passwords are actually easier to crack for a computer program than most think. Encryption makes it harder for a human, but it doesn't make a difference for a bot to do it. A bot literally just guess at hundreds to thousands of passwords a second.

This comic from xkcd explains the problem.

Deirachel, While the comic does highlight the issues with bots cracking passwords, the example given had a base english word and substituted some numbers for letters. Yes, it's harder than a regular word straight out of the dictionary, but it can be cracked. In my case, however, there's no word-base used. As an example, I had my password manager generate a random password for this post (that is to say, it's not a password that I currently use):

?#_vLsf\N6w4-<j/kz~5

20 randomly selected characters has a very high degree of entropy. Even with rainbow tables, that's going to take some significant cracking even for a bot. According to the site www.howsecureismypassword.net, that password would "... take a desktop PC about 560 sextillion years to crack ..."


cheers
Hachiman

[Deirachel]

20 randomly selected characters has a very high degree of entropy. Even with rainbow tables, that's going to take some significant cracking even for a bot. According to the site www.howsecureismypassword.net, that password would "... take a desktop PC about 560 sextillion years to crack ..."

Definitely, I agree that using a random string of characters is THE best way to make a password with the current conventions of how to construct a password. The point being made by that comic is not that there aren't better methods of password construction, but that the current convention is less effective than other ideas of password construction. Random letters, numbers, and symbols are going to be the least likely to be cracked, but they are EXTREMELY difficult for a human to remember. Most people won't use this type of password, simply because it is so hard to remember.

Second, the system when calculating the amount of time for a crack assumes a mid-range CPU/GPU making 250 million attempts per second (per the creator's facebook account). A dedicated hacker isn't going to be running a mid-range desktop, but a top end system, possibly even an overclocked small server system. This would greatly decrease the time to crack a password.

So, for the TL; DR While I agree the purely random string password is the BEST password, it is an impractical solution for the average user as memorizing a random string is extremely difficult (causing the user to do one of the big no-nos - writing it down, or saving it on their computer somewhere.)

BTW, thanks for that link, that's helpful!

[Hachiman]

So, for the TL; DR While I agree the purely random string password is the BEST password, it is an impractical solution for the average user as memorizing a random string is extremely difficult (causing the user to do one of the big no-nos - writing it down, or saving it on their computer somewhere.)

BTW, thanks for that link, that's helpful!

Deirachel, as I mentioned previously, I don't memorize my passwords. I use a cross-platform password manager to hide my randomly-generated 20 character passwords behind 256-bit encryption, and then cut-and-paste my username and passwords into the appropriate fields on any website that I use that requires authentication. I literally do not know my own email password. That's the job of my password manager.

As for the link: you're welcome!

cheers!
Hachiman

[seanachie]

I have no incentive from nor any relationship with LastPass, but that is the password manager I use and can highly recommend it. There are user configurable options for the password strength and criteria and they have 2 Factor authentication which I definitely use. Because I am involved with IT and e-commerce professionally as well as personally maintaining track of passwords would be otherwise impossible.

[Tobus]

Yup, my Hotmail account got hacked last year too. Started sending spam to everyone in my contact list. It took a while to get it corrected. I'm sure it will happen again at some point, as any password can be cracked with enough guesses by bots. This is why I no longer keep anyone in my address book. I just manually type in their email address, so if I do get hacked again, they won't suffer for it.

[Jordan]

This is a worrying post, I feel slightly paranoid about my email and passwords now soince i use hotmail and cant remember having ever changed any of my passwords.
Jordan

[Grizzly]

Jordan change it now, its easy to set up a gmail or alternative email account. Do it and transfer any saved files before you too end up spending lots of time doing it after its too late.