Faster Forward: Hotmail adds account defenses

By Rob Pegoraro
Wednesday, September 29, 2010; 1:03 PM

Microsoft upgraded the security of its Hotmail Web-mail service on Monday, adding two ways for holders of Hotmail accounts to get back into their accounts after hackers break in. That's a welcome step to address a growing problem.

But one of these account-recovery tools requires you to run Windows and install extra software from Microsoft. That's an unwelcome reminder of Microsoft's less-endearing side.

As a post on Microsoft's Windows Team Blog explained, the company recognizes that the traditional account-security techniques haven't worked well to protect consumer Web-mail accounts from compromise via phishing scams, malware, or password guessing.

John Scarrow, general manager for safety services, noted how often the standard secret-question account-recovery method fails in practice: "For example, only 25% of people with a secret question actually remembered their answer when needed." (Sometimes, an outsider can figure out the "secret" answer on their own.)

Scarrow wrote that Microsoft now automatically scans for signs of compromised accounts in their "login and account activity" and kicks out hijackers if necessary. It also requires that a user use one of the existing "proofs" on their account--for instance, providing the answer to a secret question or confirming their access to the backup e-mail address on record--before adding a new proof or changing any of the existing ones.

And Hotmail now lets users add two other ways to lock down an account.

CONTINUED     1        >

© 2010 The Washington Post Company