Weak passwords are soon to be disallowed in all Windows Live accounts in a bid to lower the problem of account hijacking. Common passwords and phrases such as ‘ilovecats’, ‘gogiants’ and even just ‘password’ will all be removed. As well as removing weak passwords, users will now be given the option to report accounts which they think have been hijacked.
Dick Craddock, Group Program Manager for Windows Live Hotmail, said ‘we know that account hijacking is a big problem, and we continue to work hard to prevent it,’ on the Windows Live Team blog. When users report an account as compromised, a system will combine your report with other collected information. If believed to be compromised, accounts will then be stopped from usage by the spammer and the original user will be ‘put through an account recovery flow.’
Craddock said that although they had brute-force attack (the use of a list of words to check all combinations of passwords) protection, passwords could be guessed on by the third or fourth time when weak passwords were used.
Last year, the dangers of weak passwords were put in perspective. Hackers gained access to 31 million accounts. It was found that the most common password was used on 290,731 of the accounts with the next most-common passwords including ‘password’, ‘iloveyou’, ‘princess’, and ‘rockyou’.