Trove of Hotmail Passwords Posted Online

If you use Microsoft's free Hotmail service, it may be time to change your password: Microsoft said Monday that several thousand Hotmail account credentials were posted online over the weekend. In a statement posted to its Windows Live Spaces blog, Microsoft said the company has determined that the data spill was not the result of a breach of internal Microsoft data, but rather was likely the haul from a phishing scheme. Microsoft said it is taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts. Microsoft said users who believe their information was documented on the illegal list (i.e., you have reason to believe you may have recently fallen for a Hotmail phishing scam) can reclaim access to their accounts by filling out this form. October being Cyber Security Awareness Month and all, it's probably a good idea to remind readers about password best practices, particularly as they relate to Webmail accounts. -Make sure you have set up an alternate e-mail address for your account. Most free Webmail providers, including Hotmail, Gmail and Yahoo! offer this feature, which is usually accessible under the user account settings. This way, even if someone does manage to steal your password, you can reset it by having the "reset your password" link sent to an alternative e-mail inbox. This is especially useful should you find yourself in the unenviable position of having your Hotmail inbox held hostage and being subjected to extortion in order to regain access to it (see Your Money or Your E-mail) -Avoid using your e-mail password as your password at other sites. If that other site gets hacked, not only do the attackers know your e-mail address, but they now also have your e-mail password. That said, many online forums that require you to pick a password and user name, and I think it's generally okay to use the same password at multiple forums, provided said forums don't store personal or financial data about you. -Several high-profile Webmail account password compromises have succeeded because victims picked easily-guessed answers for their "secret question and answer" pair that many sites use as a password reset security feature. Often, the questions request personal information that may not be terribly secret in this age of social networking and online consumer databases. If you have the choice, create your own unique question and answer. If you must pick from a preexisting list of questions, consider choosing a bogus answer that makes you laugh and has special meaning for you (you're more likely to remember a false answer this way). -DO NOT use your user name as your password. -Don't use easily guessed passwords, such as "password." -Do not choose passwords based upon details that may not be as confidential as you'd expect, such as your birth date, your Social Security or phone numbers, or names of family members. -Create unique passwords that that use some combination of words, numbers, symbols, and both upper- and lowercase letters. One way to forge strong, memorable passwords is to use the first letter from each word of a favorite phrase, book or movie. For example, "The ratio of people to cake is too big," could be "Troptcitb," a fine and fun password (especially if you include the capitalization). -If you need to write down your passwords, consider storing them in a password vault that encrypts the information, such as Password Safe, Keypass, or Roboform. Mac users have this functionality built into the operating system in Keychain, which consolidates a user's passwords in one place and makes them accessible via a master password or passphrase. Update, Oct. 6, 1:15 p.m. ET: News of these stolen passwords was originally reported by Neowin.net, which said that some 10,000 Hotmail account credentials had been briefly posted online. Web application security vendor Acunetix says it managed to get hold of that file while it was up on the Web, and has done some interesting analysis of the most common passwords.