Microsoft is blocking access to thousands of Windows Live Hotmail accounts after passwords for the accounts were publicly posted on a Web site.
According to a Windows Live blog post, Microsoft discovered the posted credentials over the weekend. The company is locking the accounts in question, and points to a recovery form for you to use to restore access if your account has been locked.
Microsoft’s post blames a phishing scheme as the most likely source of the stolen passwords, and says that there “was not a breach of internal Microsoft data.”
According to an additional post from the Internet Storm Center, Gmail and Yahoo “are also affected by the compromise.” The ISC post doesn’t provide any further details, but I’d take the post to mean that Gmail and Yahoo account credentials were also posted. I’ll update this post if I get more details.
The password posting, and the presumed phishing attack behind it, serve to emphasize that your free Webmail account has real value to Internet crooks. They may sift through your messages looking for logins to financial sites, send bogus ads or requests for money to all your contacts, or demand a ransom for returning control of the account. You’ve no doubt seen a thousand suggestions to use a strong, unique password for your Webmail account, but this is why: Crooks can make money by stealing it.
And there are plenty of tools can help lessen the major aggravation of trying to remember all those strong, unique passwords. I currently use SplashID ($30) as a password safe because it can sync between an app on my desktop and my iPhone, providing a backup in case one or the other goes kaput. Brian Krebs of the Washington Post says he’s happy with the free Password Safe, and I also use the free Lastpass and Password Hash browser add-ons (both work with both IE and Firefox). Roboform is another popular choice.
If you don’t want to bother with additional software, then there’s always the password cycle method. Choose one or two keywords (with capitals), and then a few numbers to pair with the words. When you need to change your password, add 1 to each digit in the numbers. For example, you could pair “PCWorld” and “189” for a PCWorld189 password. Then when you need to change it, you might go to PCWorld290, or sub in another word, such as Techie189. The technique isn’t as secure as using a truly unique password for each site, but it beats the heck out of using the same password everywhere.