Faster Forward: Hotmail adds account defenses

By Rob Pegoraro
Wednesday, September 29, 2010; 1:03 PM

Microsoft upgraded the security of its Hotmail Web-mail service on Monday, adding two ways for holders of Hotmail accounts to get back into their accounts after hackers break in. That's a welcome step to address a growing problem.

But one of these account-recovery tools requires you to run Windows and install extra software from Microsoft. That's an unwelcome reminder of Microsoft's less-endearing side.

As a post on Microsoft's Windows Team Blog explained, the company recognizes that the traditional account-security techniques haven't worked well to protect consumer Web-mail accounts from compromise via phishing scams, malware, or password guessing.

John Scarrow, general manager for safety services, noted how often the standard secret-question account-recovery method fails in practice: "For example, only 25% of people with a secret question actually remembered their answer when needed." (Sometimes, an outsider can figure out the "secret" answer on their own.)

Scarrow wrote that Microsoft now automatically scans for signs of compromised accounts in their "login and account activity" and kicks out hijackers if necessary. It also requires that a user use one of the existing "proofs" on their account--for instance, providing the answer to a secret question or confirming their access to the backup e-mail address on record--before adding a new proof or changing any of the existing ones.

And Hotmail now lets users add two other ways to lock down an account.

One catches up to a longstanding feature at Gmail and Yahoo: account recovery by text message. That's a sensible addition--though it's undermined by Microsoft's failure to promise upfront that it will not use your mobile number for any purpose but account recovery. I couldn't find any such promise in its privacy policy, so check your marketing preferences afterwards.

The other security upgrade, "Trusted PC," links your Hotmail account to an individual computer. But where other sites, such as Yahoo, provide machine-specific identification using standard Web techniques, Microsoft requires you to install its Windows Live Essentials software to use this feature.

That suite of programs requires Windows XP Service Pack 2 or a newer release of Microsoft's desktop operating system--and in comments on Scarrow's post, some users complain that they get that error even though they already have Live Essentials installed.

Hotmail didn't prompt me to enable these options when I logged in; I had to look for them on a Windows Live account-overview page. To get there, log into Hotmail, click the triangle to the right of your name at the top right of the page and select Account.

Now that I've spent most of this post critiquing Microsoft's implementation of these security upgrades, I'm going to tell you to use them anyway. I've heard from too many people who lost access to their Web-mail accounts, and they all found it a thoroughly degrading experience. So, please, if you place any value on your Hotmail address, take a minute and enable those features.

© 2010 The Washington Post Company