Time to change your hotmail/gmail/yahoo password

Published: 2009-10-05
Last Updated: 2011-01-25 00:08:42 UTC
by Adrien de Beaupre (Version: 1)
14 comment(s)

Microsoft has confirmed that thousands of Windows Live accounts have been compromised with their passwords posted online. Mainstream media such as the BBC are also carrying the story. Some information is posted here.

UPDATE: Gmail and Yahoo are also affected by the compromise. Change all passwords on any of these popular webmail sites.

Some does and don'ts:

  • Do change your passwords on a regular basis (every six months or so)
  • Do use long complex pass-phrases rather than passwords where you can
  • Do change all of your passwords if you notice something suspicious
  • Do take identity theft seriously
  • Do use up-to-date anti-virus and a firewall
  • Do NOT click on links in emails, ever
  • Do NOT use the same password at multiple sites

Adrien de Beaupré
Intru-shun.ca Inc.

14 comment(s)


We're sometimes told not to even write down our passwords; as if we should keep them memorised. But how can anyone memorise long, complex passwords, each one unique to every account that needs one, and remember to go back and periodically change passwords for every account. We really have no choice but to store them, but we can do that securely and portably thanks to modern crypto. Our virtual 'keychain' stores a list of every place we have an account, each account's password, and ideally when the password was set or last changed.

I know that tools for this purpose have existed for some time, but I only now realise the real necessity of them.

It would be so much easier if we were using public-key crypto for everything now, but passwords are still with us. Fortunately, the keychain idea makes it no longer difficult to use very long passwords with a great deal of entropy, which can be changed with much less of a burden; almost to the point of being a cryptographic 'nonce' used for authentication.
A passphrase is a useful compromise. I don't want to carry around a USB stick with some portable app full of passwords.
Or you could use a list of seeds and a passphrase algorithm.

I have a list of seed words, and a simple algorithm that uses the site name as a seed.

The end result looks like line noise and every site has a different password, but it's rather easy for me to rebuild the password for any site even if I don't go there very often.

I change the list of seed words every 6 months, and keep the old site lists documented in case there is a site I forget to update.

I also keep the names of sites where the list is valid, along with a "trust number" which represents the number of times i've had to change the password at that site since the last time I generated a new seed list.

Example algorithm: google.com
first letter == G
Third letter == O
Seed word 1 == Grass
Seed word 2 == Oragami
Trust value == 2

Remove the vowels from Seed1 == Grss
Remove the consonants from seed 2 == oaai
alternate them == Gorasasi
Square the trust value == (2x2 = 4)
Insert number into word at trust value == G4rasasi

New password==G4rasasi.

I use my gmail daily, but even if I forget the password, I can recreate it with ease.

Also, even if someone has a copy of my seed list, they have to also know the formula or it's worthless.

No keypass needed, no repeated passwords, and all I need is a slip of paper in my wallet or access to a web page with my current seed list hidden on it.

"Do NOT click on links in emails, ever"

But whenever people sign up for something - like an account here - and a billion other places they receive an email with a link that performs an action like verifying the account or validate a password reset... ;) So this rule should probably be something like:

"Do NOT click on links in emails you did not explicitly request, ever!"
Good point.
Is it just me? The "form" hotlink on the Windows Live page asks for information that is redolent of a phishing scheme.
Can anyone confirm that these passwords were obtained through phishing attacks as is suggested in the Microsoft post.
there are many misspellings (eg. "otmail" vs "hotmail") in the list of addresses and pairs of passwords with only one character difference (first a typo and then re-entered), it is clear they were captured by phishing or a key-logger
I have been using a variant of Eldorel's concept (posted above) for quite some time now along with password levels (high priveledge down to my lowest priveledged accounts). I store the necessary information required to construct these passwords and their relations to various accounts on a USB keychain I carry with me at all times. All passwords are rotated/changed on a regular basis. Until service providers such as Hotmail, Yahoo, etc pickup on PK crypto operability, I feel this is working quite well for me.

For the regular end user (those of us not inherently paranoid (for good reason)) changing one's password on a regular basis has long been a standard defense against various forms of password compromise.
I failed to mention... if you, or someone you do know is in the process of making these password changes, or are recovering from a compromise situation... please... do NOT change your password FROM the compromised system! Use a known "safe" system to do this, or you are just handing the bad guys your new credentials.

Diary Archives