Time to change your hotmail/gmail/yahoo password

Microsoft has confirmed that thousands of Windows Live accounts have been compromised with their passwords posted online. Mainstream media such as the BBC are also carrying the story. Some information is posted here.

UPDATE: Gmail and Yahoo are also affected by the compromise. Change all passwords on any of these popular webmail sites.

Some does and don'ts:

  • Do change your passwords on a regular basis (every six months or so)
  • Do use long complex pass-phrases rather than passwords where you can
  • Do change all of your passwords if you notice something suspicious
  • Do take identity theft seriously
  • Do use up-to-date anti-virus and a firewall
  • Do NOT click on links in emails, ever
  • Do NOT use the same password at multiple sites

Adrien de Beaupré
Intru-shun.ca Inc.

Adrien de Beaupre

353 Posts
ISC Handler
Jan 25th 2011
We're sometimes told not to even write down our passwords; as if we should keep them memorised. But how can anyone memorise long, complex passwords, each one unique to every account that needs one, and remember to go back and periodically change passwords for every account. We really have no choice but to store them, but we can do that securely and portably thanks to modern crypto. Our virtual 'keychain' stores a list of every place we have an account, each account's password, and ideally when the password was set or last changed.

I know that tools for this purpose have existed for some time, but I only now realise the real necessity of them.

It would be so much easier if we were using public-key crypto for everything now, but passwords are still with us. Fortunately, the keychain idea makes it no longer difficult to use very long passwords with a great deal of entropy, which can be changed with much less of a burden; almost to the point of being a cryptographic 'nonce' used for authentication.
Steven C.

171 Posts
A passphrase is a useful compromise. I don't want to carry around a USB stick with some portable app full of passwords.

1 Posts
Or you could use a list of seeds and a passphrase algorithm.

I have a list of seed words, and a simple algorithm that uses the site name as a seed.

The end result looks like line noise and every site has a different password, but it's rather easy for me to rebuild the password for any site even if I don't go there very often.

I change the list of seed words every 6 months, and keep the old site lists documented in case there is a site I forget to update.

I also keep the names of sites where the list is valid, along with a "trust number" which represents the number of times i've had to change the password at that site since the last time I generated a new seed list.

Example algorithm: google.com
first letter == G
Third letter == O
Seed word 1 == Grass
Seed word 2 == Oragami
Trust value == 2

Remove the vowels from Seed1 == Grss
Remove the consonants from seed 2 == oaai
alternate them == Gorasasi
Square the trust value == (2x2 = 4)
Insert number into word at trust value == G4rasasi

New password==G4rasasi.

I use my gmail daily, but even if I forget the password, I can recreate it with ease.

Also, even if someone has a copy of my seed list, they have to also know the formula or it's worthless.

No keypass needed, no repeated passwords, and all I need is a slip of paper in my wallet or access to a web page with my current seed list hidden on it.
2 Posts

"Do NOT click on links in emails, ever"

But whenever people sign up for something - like an account here - and a billion other places they receive an email with a link that performs an action like verifying the account or validate a password reset... ;) So this rule should probably be something like:

"Do NOT click on links in emails you did not explicitly request, ever!"

11 Posts
Good point.
Adrien de Beaupre

353 Posts
ISC Handler
Is it just me? The "form" hotlink on the Windows Live page asks for information that is redolent of a phishing scheme.
Adrien de Beaupre
1 Posts
Can anyone confirm that these passwords were obtained through phishing attacks as is suggested in the Microsoft post.

7 Posts
there are many misspellings (eg. "otmail" vs "hotmail") in the list of addresses and pairs of passwords with only one character difference (first a typo and then re-entered), it is clear they were captured by phishing or a key-logger
5 Posts
I have been using a variant of Eldorel's concept (posted above) for quite some time now along with password levels (high priveledge down to my lowest priveledged accounts). I store the necessary information required to construct these passwords and their relations to various accounts on a USB keychain I carry with me at all times. All passwords are rotated/changed on a regular basis. Until service providers such as Hotmail, Yahoo, etc pickup on PK crypto operability, I feel this is working quite well for me.

For the regular end user (those of us not inherently paranoid (for good reason)) changing one's password on a regular basis has long been a standard defense against various forms of password compromise.

16 Posts
I failed to mention... if you, or someone you do know is in the process of making these password changes, or are recovering from a compromise situation... please... do NOT change your password FROM the compromised system! Use a known "safe" system to do this, or you are just handing the bad guys your new credentials.

16 Posts
What is the big hype over this? There is nothing new here. This was the spoils from just one phishing attack among too many to count, not a dangerous new brute force password attack targeting weak passwords. The only reason this made the news is because the credentials were posted, as opposed to being used only surreptitiously. 10,000 accounts is a measly 0.35% of the Hotmail user base. If only 0.35% of recipients fell for phishing attacks, the world's cyber security status would suddenly have gone up at least an order of magnitude.
n3kt0n: I'm with you. Reading the headline makes it seem like somebody cracked multiple mail vendors. The only thing that happened is that a phisher posted his successes to a web site. Instead of having to guess how many people were affected, you can go to the web site and count them. The only way this attack was different from any others is that people in denial now have proof that there's at least one phisher in the world. That's hardly something that should cause hysteria among security professionals.

4 Posts
anyone know where to a found lists too? iv tired looking for an email address at ms that i could send it to... thanks
1 Posts
I agree that the instructions to go out and change our password is a little overboard. If we suspect we have been caught in the phishing (i.e. our password compromised)scheme, then immediately changing our password is warranted, but just because someone elses passwords were compromised we are supposed to change ours? Not sure if that makes a lot of sense unless their Administrator passwords were stolen AND unless that allows them to change or obtain our passwords. Can SANS author further explain it's reasoning?

Sign Up for Free or Log In to start participating in the conversation!