Windows Live ID phishing attacks reveal more about how Microsoft, rather than consumers, treats passwords October 8, 2009Posted by jonathanpenn in identity.
Earlier this week, it was reported that some unknown number (possibly the hundreds of thousands) of Microsoft Windows Live ID accounts were compromised from a phishing attack. I was stunned to read that some of the passwords used were strings like “123456”. I’m not surprised that people select these passwords – we all know that people choose easy passwords when allowed. What stunned me was that Microsoft would allow the use of such passwords in the first place.
Now, I know that these passwords were phished, so it wouldn’t have matter how complex the passwords were. But given the sensitivity of Live ID accounts and Microsoft’s attention to/exposure in security, why on earth would Microsoft allow use of such pathetic passwords? It begs the question: What happened to Microsoft’s principles of “secure by design, secure by default, secure in deployment” when it came to creating and running Live ID?
A year and a half ago, Neelamadhaba Mahapatro (who runs Live ID, or at least did at the time) of Microsoft put up a post about it. I found it through Kim Cameron’s blog but it’s also here. Basically, he says that they’re well aware of the issues and have taken various precautions – and then goes on to explain them. You should see them for yourself, but I think the net-net can be found in this sentence: “We’re constantly looking for ways to balance end-user security/privacy and user experience.” This is something everyone in security (and business) has to do. However, I have to seriously question if allowing “123456” as a password constitutes any sort of balance. And after they decided to allow such lame passwords, I wonder if the Live ID team ever weighed the option of not using Live ID for access to such sensitive data.
Here’s an alternative view: Perhaps we’re ready to open the debate as to whether strong passwords are at all useful as a security tactic. Since passwords are stolen through phishing and spyware vastly more often than by brute force attacks at application login or by capturing and cracking password files, why should we even bother with strong passwords?