New Hotmail security features against account hijacking

Microsoft has decided to introduce two new security features for its web-based Hotmail service, in the hope that this will make the accounts more difficult to hijack and eventual hijackings spotted faster.

The first one makes the use of extremely common passwords impossible. “Common passwords are not just ‘password’ or ‘123456’ (although those are frighteningly common), but also include words or phrases that just happen to be shared by millions of people, like ‘ilovecats’ or ‘gogiants,'” explains Dick Craddock, Program Manager at Microsoft.

The feature will be rolled out soon, and it will hopefully prevent successful brute force “dictionary” attacks.

The second one has already been released, and allows users to report compromised accounts to Microsoft immediately after receiving a spam or scam email from a contact’s email account.

This can be done in two ways. Either you move the email in question to the Junk folder and you get offered the option of reporting the possible hack, or you mark it with the “My friend’s being hacked!” option:

The feature also works for compromised Gmail and Yahoo! Mail email accounts, and Microsoft relays the information to Yahoo! and Google. In the few weeks since its release, this option has proved to be very helpful.

“When you report that your friend’s account has been compromised, Hotmail takes that report and combines it with the other information from the compromise detection engine to determine if the account in question has in fact been hijacked,” says Craddock. “It turns out that the report that comes from you can be one of the strongest ‘signals’ to the detection engine, since you may be the first to notice the compromise.”

The timing for the rollout of these feature could not be better – a recent report says that spammers are gradually shifting distribution from botnets to compromised accounts.