jump to navigation

Windows Live ID phishing attacks reveal more about how Microsoft, rather than consumers, treats passwords October 8, 2009

Posted by jonathanpenn in identity.

Earlier this week, it was reported that some unknown number (possibly the hundreds of thousands) of Microsoft Windows Live ID accounts were compromised from a phishing attack. I was stunned to read that some of the passwords used were strings like “123456”. I’m not surprised that people select these passwords – we all know that people choose easy passwords when allowed. What stunned me was that Microsoft would allow the use of such passwords in the first place.

Now, I know that these passwords were phished, so it wouldn’t have matter how complex the passwords were. But given the sensitivity of Live ID accounts and Microsoft’s attention to/exposure in security, why on earth would Microsoft allow use of such pathetic passwords? It begs the question: What happened to Microsoft’s principles of “secure by design, secure by default, secure in deployment” when it came to creating and running Live ID?

A year and a half ago, Neelamadhaba Mahapatro (who runs Live ID, or at least did at the time) of Microsoft put up a post about it. I found it through Kim Cameron’s blog but it’s also here. Basically, he says that they’re well aware of the issues and have taken various precautions – and then goes on to explain them. You should see them for yourself, but I think the net-net can be found in this sentence: “We’re constantly looking for ways to balance end-user security/privacy and user experience.” This is something everyone in security (and business) has to do. However, I have to seriously question if allowing “123456” as a password constitutes any sort of balance. And after they decided to allow such lame passwords, I wonder if the Live ID team ever weighed the option of not using Live ID for access to such sensitive data.

Here’s an alternative view: Perhaps we’re ready to open the debate as to whether strong passwords are at all useful as a security tactic. Since passwords are stolen through phishing and spyware vastly more often than by brute force attacks at application login or by capturing and cracking password files, why should we even bother with strong passwords?


1. Jesse - October 9, 2009

Aside from the Live ID bungle, the ineffectiveness of passwords in today’s environment is exactly why HID came out with their “HID On The Desktop” product; it uses a regular access card to login to a computer. Dell is now starting to offer card readers in some of their laptops.


2. jonathanpenn - October 9, 2009

Thanks for your comment. I just got a new Dell here at work, and it had HID support *and* smart card support: given that we don’t have any imminent plans to roll out 2-factor authN, it must be that the hardware is cheap enough for Dell to throw in. But I don’t see consumers adopting any form of 2-factor authN any time soon. VeriSign has been pushing this, with at best moderate success. Look at the US financial industry and how diligently they worked around 2-factor authN given the FFIEC requirements! We all know passwords are insufficient, but I don’t see 2-factor as the solution — or at least, not the solution that will be adopted. The real issue is fraud, and strong authentication is merely one approach: not wholly effective, and not accepted by users. I think we need to look elsewhere.

3. Windows Live ID phishing attacks reveal more about how Microsoft, rather than consumers, treats passwords - February 17, 2010

nice info ^^

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: