Update October 6 at 11:25 a.m.: This was later discovered to be an industrywide problem that has affected users of Gmail and possibly other e-mail services as well. See more details here.
Thousands of Windows Live Hotmail passwords have been leaked online, Microsoft has confirmed. The news was first reported by Neowin.
According to Microsoft, it "learned that several thousand Windows Live Hotmail customers' credentials were exposed on a third-party site" at some point over the weekend. Neowin originally reported that the credentials were posted to a developer forum on Pastebin.com on October 1.
After learning of the breach, Microsoft "immediately requested that the credentials be removed and launched an investigation to determine the impact to customers," it wrote on its Windows Live blog.
The company was quick to point out that credentials were stolen through what was "likely a phishing scheme." The company said that it "was not a breach of internal Microsoft data." It's currently "working to help customers regain control of their accounts."
Microsoft did not immediately respond to CNET's request for comment.
Microsoft didn't say exactly how many accounts were affected, but Neowin reported that the original list displayed accounts with names starting with "A" and "B."
Twitter and other social networks are abuzz with people advising others to change their passwords. Microsoft wrote in the blog post that those who believe they were affected by the phishing scheme should immediately do just that.
Updated at 1:30 p.m. PDT to include Microsoft's confirmation of the breach.
Someone told me recently that they had 22 different log-in IDs. My first thought was, you must get out more. My second thought was, how do you remember 22 different Web services, let alone log-in IDs and passwords?
The answer, of course, is a password manager. These days, I see PC security as a form of insurance. The more you have to risk, the more you should spend to protect it. Anyone who banks or otherwise transacts online will find the investment in a password and personal-data manager worthwhile. Fortunately, if your password-management needs are meager, the protection doesn't have to cost you anything.
Siber Systems recently announced the beta version of RoboForm Online that lets RoboForm users store their log-in data securely online. Just log into the service from any browser and get fast access to the IDs you've saved on your PC. With just one you're logged into your favorite Web sites.
Log into the RoboForm Online service to access your favorite Web services with a single click.
(Credit: Siber Systems)The first time you use the program, you're prompted to enter a master password. You can change the master password via the program's Options drop-down menu and selecting Security settings, but if you forget a master password, you have to delete all the password-protected files and start over.
... Read more
One of the best ways to protect your online security is to have strong passwords that you change periodically. But that's easier said than done. Coming up with hard-to-guess passwords is hard enough, but it's even harder to have separate passwords for different sites and to remember new ones after you change them.
One way to create a password that's hard to guess but easy to remember is to make up a phrase. You could type in the entire phrase (some sites let you use spaces, others don't) or you can use the initials of each word in the phrase, for instance, "IgfLESi85" for "I graduated from Lincoln Elementary School in '85." An even better one would be "MbfihswE&S" for "My best friends in high school were Eric and Steve." You get the idea--upper case numbers, letters, and symbols that are seemingly meaningless to everyone but you. Microsoft has an excellent primer on passwords and a password strength checker.
But even if you do come up with a clever and hard-to-remember password, don't use it for every site. Since lots of people do that, there's the risk that a sleazy site operator--or a sleazy person who works for a legitimate site--could use it to break into your accounts on other sites.
Password managers
One solution is to use a password manager. There are several available programs and Web storage services, but the ones I'm most familiar with are RoboForm and Lastpass. These programs can generate passwords for you and remember them so you don't have to. Both programs are, themselves, password protected, though you have the option of running RoboForm without a password or having Lastpass remember its own password on your PC. That's OK as long as no one else has access to your machine. I recommend that you manually enter your master password on a laptop that could more easily fall into the wrong hands.
RoboForm has a free trial version that's limited to 10 passwords after the trial ends. Lastpass is free.
RoboForm has been around for a long time, but Lastpass is a relatively new offering. Company CEO Joe Siegrist describes the program as a hybrid because it stores your passwords and usernames both on your machine and on the Web. You can download the browser plug-in to a PC or a Mac to work directly with Firefox on either platform or Internet Explorer on Windows, but there are also ways to use it with Safari and Chrome. Because it has a Web interface, it can work with any Web-enabled device, but the plug-ins for IE and Firefox make it easier to use.
On Firefox and IE, Lastpass records your usernames and passwords when you first enter password-protected sites and then enters them for you automatically for subsequent visits. Passwords are stored in a "vault," which is actually a Web page stored on your PC, as well as the company's servers, so you can access it from any device, including a borrowed machine. The password vault on your machine is automatically synchronized with the server, so you don't have to worry about synchronizing or backing up your data.
Password data, according to Siegrist, is encrypted on the PC and on the servers. He said that no one--himself included--can decrypt them without the master password that only you know. Assuming the encryption is as good as he says it is, this should protect your security even if their servers are compromised. The company provides a lot of security information on its FAQ.
There are also versions for Blackberry, iPhone, Windows Mobile, and Android as well as a Web site for phones and browsers that aren't supported directly.
For a lot more on this password management, see CNET News reporter Elinor Mills' post, "Facing the pain of passwords."
Password storage service Passpack has a new feature that lets you share your account log-ins with others. It's meant as a way to securely share things like usernames and passwords outside of e-mail or IM conversations, and requires that both parties be registered Passpack users.
Inviting someone to get access to a certain log-in is fairly simple, although you have to be Passpack friends with them first. Then it's simply a matter of checking off which log-in or log-ins you want to share. This is handled in two places, both on your friends page and on each site's entry. From there you can pick how much access you want each contact to have, including whether they can just view it, or go in and make changes.
One smart thing about this system is that as the sharer, you can turn off that access whenever you want. The service makes note of each entry that you're sharing and gives you a quick way to revoke access to everyone sharing that certain entry, or to certain individuals entirely. This means that if you're sharing passwords with an employee who leaves the company, you can pull off his or her access to those passwords immediately.
Passwords you're sharing get a special orange tag. You can also sort just by shared passwords.
(Credit: Passpack)I can't say I totally find this feature ideal though. For one, the person you're sharing with needs to be a registered user of Passpack, which means you need to bug them to sign up, then get whatever case-sensitive usernickname they've come up with. Second, you're giving people entire log-ins, which means they can just take that information and save it somewhere.
The system is not currently set up to let you share access to a site without the other person seeing the credentials (which it can do for you if you're using the service's autofill bookmarklet). So, say for example I'm using this for work, and want to give Rafe the username and password to the company YouTube account. I'd much rather be able to provision him temporary access to that site without him being able to change passwords and potentially lock me out. However, something like that would require OAuth on each site to make that happen.
Where I think this feature will really shine is for providing spousal or family security, where you can give other people you trust access to your information in case something bad happens to you. Similar to what Legacy Locker provides, this would give those people everything they need to control your various accounts if you die.
Facebook has changed the way its password reset tool works so that it does not easily verify e-mail addresses to potential spammers, after CNET News contacted it with concerns from an Israeli security expert.
On a separate matter, the company also has asked the maker of the Photo Stalker Facebook app to make it clear that despite the name, the app conforms to Facebook's privacy guidelines.
This is the new message Facebook displays when people reset their passwords.
(Credit: Facebook)First off, Facebook is making it harder for spammers to mine the site for valid e-mail addresses.
"Last night, we took steps to make sure that our password reset tool is not confirming e-mail addresses," Facebook spokesman Barry Schnitt wrote in an e-mail on Thursday. "Specifically, we now give users the same message whether or not we recognize the e-mail address, and we are adding random amounts of time to the response to ensure that measuring the time isn't an indication of anything."
Previously, when people typed in a legitimate e-mail address on Facebook's password reset page they got a message either saying that their password had been reset or that an e-mail with instructions on how to reset the password had been sent to their e-mail account, thus providing verification that the e-mail address is legitimate. When a fake e-mail address was typed in they got a message that said "Unregistered Email. The email address you entered has not been registered."
Now, every password typed in gets the same message: "Your password has been reset. An e-mail has been sent to all contact e-mails associated with your account, including (the one typed in)."
Under the old system, an attacker could easily have built a script to generate random e-mail addresses and test them via the reset page, said Shlomi Narkolayev, an independent security consultant based in Israel. "Someone could make a lot of money by selling the list or using it to spam people directly."
He suggested that Facebook offer a generic message for all password reset attempts so as to throw spammers off the trail of legitimate e-mail addresses.
Facebook initially dismissed the concern when contacted on Tuesday. To get a third opinion, I then consulted with Web security expert Jeremiah Grossman, chief technology officer of WhiteHat Security.
"Yes. Facebook's Web site behavior is a common practice, but that doesn't necessarily mean it's a good thing," Grossman wrote in an e-mail. However, even displaying a generic password reset message could end up revealing whether an e-mail address is legitimate or not, he said. That's because the system takes the same time to respond to legitimate e-mail addresses and a different amount of time to respond to bogus ones when it doesn't immediately find them in the database, he said.
"The real lesson here is that Web sites should not use e-mail addresses for usernames," Grossman said.
Well, Facebook came up with a compromise, changing the confirmation message users see.
Facebook, however, didn't make any changes to address an additional concern Narkolayev had with the site's login page. He had complained that an attacker could use a brute force attack on the login page to guess passwords using a program designed to try a large number of options in a systematic way.
To prevent such attacks, Facebook should require people to type in Captchas with each login and password reset attempt, Narkolayev said.
To that point, Schnitt said Facebook blocks accounts if someone tries too many incorrect passwords and that users would find it "unwieldy" to have to fill in a Captcha every time they mistyped a wrong password or e-mail address.
Narkolayev said he was able to try wrong passwords 50 times before being blocked. He suggested the site present a Captcha after four attempts and block the account after seven attempts so "the user will not 'suffer from the Captcha' and the system will be safe from brute force and dictionary attack."
The Photo Stalker Facebook app conforms to Facebook's privacy guidelines but still might concern people who think their photos are private.
(Credit: Photo Stalker)Photo Stalker
Because of its popularity, Facebook gets more scrutiny for privacy and security than other Web sites and services (you can call it the Windows curse), even when it's following common practice or doing more than other sites are doing. The intense attention is merited because of the millions of people who use the site, many of whom may not understand the privacy risks they put themselves at in their quest to interface with friends on the site.
Take, for instance, the Facebook app called "Photo Stalker." It lets anyone see any Facebook user's public photos, even when they are not friends, just by typing in a name, friend ID, or user ID in a search box. (Thanks to Byron Ng for bringing it to the attention of CNET News.)
While the app does not violate Facebook's privacy guidelines, I'm sure it would still shock many people on Facebook to learn that photos they thought were visible only to friends in their network can so easily be seen by complete strangers.
After being contacted by CNET News about Photo Stalker, Facebook asked the developer of the app, Josh Carcione, to change the name to something less provocative. So far, he hasn't done so. But he did add this message to the app profile page:
"This application does not circumvent Facebook privacy settings to deliver these photos. You can edit the privacy settings on your own photos so that they are not visible to everyone on Facebook, including through this application."
So, you might want to double-check and manually set any photos to "private" that you don't want to be viewable by anyone on Facebook.
Desktop password manager LogOnce has released a new way for users of the iPhone and iPod Touch to skip having to enter usernames and passwords on sites that require them. You can log in to any site for which you've saved a password just by opening up a special bookmark that plugs in your log-in credentials for you.
There's no software to install and nothing to remember. You can also wipe out any access, just in case you manage to lose your phone, or it gets stolen.
It's devilishly simple, and it works, though the setup is a bit tedious. You must first register with the site, then plug in all your usernames and passwords from various sites, then make sure you're logged into the LogOnce site via your device. After that, it's simply a matter of summoning up the bookmarklet shortcut when you're on the log-in screen at any given site where your registered.
To help make things a bit simpler, you can do all the password management on your PC, if you're willing to download the software version. It syncs up all the log-ins you've provisioned to the your account, so you can access them on the device. In case it's stolen, you simply change out your master password, which will keep any would-be identity thief from being able to access your information.
A far simpler solution, if you're willing to install something on your iPhone or iPod Touch, is 1Password. It's one of my favorites because it gives you far greater control over the fields you can enter, and it blends the management with browsing in the same space, which can be helpful, if you want to make changes on the fly.
Usable Security Systems announced here at DemoFall on Monday a new service that will let people use one password on any site on the Web.
Basically, you will only have to remember one codeword for all the sites you log into, once the UsableLogin service launches in early 2009, says Rachna Dhamija, CEO and founder of Usable Security Systems.
The authentication service strengthens the codeword you choose by cryptographically combining it with additional random bits of data. The additional data is different for each site accessed and is dispersed on your PC and on Usable Security servers. That renders the codeword impossible for anyone else to guess but easy for you to remember.
Usable Security doesn't store or save the codeword, and it isn't displayed to Web sites.
The service allows you to view log-in activity across all your accounts through one dashboard. You can personalize your log-in with images you supply or pick from options so that you are assured that you are at the legitimate log-in. The service can be configured so that you can use it on different computers, such as at home and at work, but still remember only the on codeword.
Consumers will be able to download a browser extension that displays a UsableLogin box for free. It works with any site that accepts passwords and works with any operating system or browser.
Web sites will be able to offer the authentication service to their customers, for a fee that has yet to be determined, Dhamija says. The sites will be able to insert a snippet of JavaScript on their sites so the log-in box will be displayed.
In the future, the service will allow browsers to automatically remember the codeword for each session, she says.
On average users have about 25 accounts and users log in about eight times a day, she said in her demo.
Updates with announcement taking place.
Today I had one of those what-the-heck software moments that occurs when a program breaks where it's least expected. A premier feature in the iPhone application I was tinkering with had vanished after a version update.
1Password for iPhone, first reviewed by my colleague Josh Lowensohn, is better known by its Mac counterpart, which encrypts log-ons and passwords on the Mac and automatically fills them in on Web pages. Windows users can think of it as the rough equivalent to RoboForm.
Since a smooth move like that requires multiple programs to run concurrently--something presently prohibited for iPhone applications--1Password for iPhone sports a work-around. Rather than leave the application to sign on to a page from Safari, 1Password launches an in-application Web browser from a log-in detail page. Clicking the icon of a keyhole and then clicking the site name will auto-fill the log-in information, therefore getting by that pesky lack of program multitasking still plaguing the iPhone.
Those last two steps are superfluous in my opinion, but what's worse is that the procedure failed. Over and over again. Could the publisher have pulled the feature? Not likely as long as the Web site is still boasting native iPhone support for autofill. So what happened?
The new log-on reminder option is a must until 1Password's iPhone autofill feature is restored.
(Credit: CNET Networks)It turns out that Dave Teare, co-founder of Agile Web Solutions, 1Password's publisher, had some trouble with the latest release and discovered the mistake after already submitting buggy version 1.3 to the iTunes App Store for approval. Now 1Password for iPhone is stripped of the gem in its password-protecting crown and will remain so until Apple busts version 1.3.2 free from iTunes purgatory, a process that will take anywhere from three days to a week.
Ahem. That's what happens when you let someone else rule the release of your software. Apple's tight control over the contents of the App Store is ordinarily an understandable check against malicious software and bogus software, but in this case, it curbs the publisher's ability to push emergency fixes. This shift in the power dynamic will either: demand greater quality on the publishers' end; feed a few tech scandals when buggy software slips by; create some truly naggy and disgruntled developers and marketers; or all of the above.
I have to wonder if the iTunes team has considered priority accounts like Google AdWords or emergency-attention surcharges like UPS and FedEx. Probably. As long as iPhones are hot and the applications are hotter, future iPhone application flubs by furrowed-brow publishers could become a lucrative opportunity to sell premium customer service.
At any rate, those of you who have already updated your 1Password iPhone application to version 1.3 can still enjoy other fixes, like the newly-instituted capability to delete entries and hide passwords in editing view; a panel that displays your log-on info to manually enter it in the browser window; and a security setting to swallow up the 1Password browser's cookies.
Atomkeep is a service that lets you sync, import, and merge your personal profile data across multiple services. It's trying to solve one of the many side effects of service saturation by giving people a central place to manage personal data on a pretty grand scale, like say every popular service you're using right now.
Changed your address? Don't bother logging in to each place to make the change. Instead you can edit your AtomKeep profile (which contains nearly every conceivable field) and then push it out to just the services you want, or all of them at once. You can also bring in your profile data from any service you're signed up for, and merge it in to your Atomkeep profile to push back out to other places. It's actually incredibly simple to manage.
One thing to note is that Atomkeep doesn't hang on to any of your passwords. It's nice enough to keep your username for each service, but that doesn't make having to re-enter your password across four or five of the 23 available services any easier. Ideally, future iterations could adopt a system similar to Roboform or Passpack, with a master password that supersedes your account password to unlock a treasure trove of log-ins. As the service scales to integrate more and more sites, this is going to be the one thing holding it back from being truly user friendly.
In addition to its core profile service, you can also take all your social profiles and stick them on a badge that can be dropped into blogs or e-mails. Other users can then click on any service icon and be taken straight to that profile as long as it's public. There's even an option to drop in your resume, which can be pulled in from services like Facebook simply using your work history, or a fully formatted version from places like Monster and LinkedIn.
Related: Ping.fm blasts messages to five microblogging services at once
[via Lifehacker and ReadWriteWeb]
Manage your profiles across multiple services with Atomkeep, a simple profile management tool.
(Credit: CNET Networks)
1Password lets you add and manage all sorts of Web log-ins in one place.
(Credit: CNET Networks)iPhone and iPod Touch users have a fantastic new solution for keeping track of log-in credentials from site to site. It's called 1Password, and like the name suggests, you only need to remember one password to access and use your log-ins across hundreds and thousands of sites.
Like RoboForm (download) and other desktop password solutions, 1Password lets you save these log-ins under the protection of a single master password. Unfortunately, due to the limitations of Apple's SDK, you can't run 1Password while you're randomly browsing in Safari, meaning you won't be able to enjoy the ease of autofill. 1Password's workaround is to have you plug in your log-in information and the URL of where that log-in screen is located. From the application, you can simply click on the site you want to go to and it will plug all of that information into the correct fields when it opens in an in-app browser.
The application is already off to a great start, but there are some quirks that need fixing (and will be getting soon). The most glaring omission is the lack of an on-screen keyboard, meaning if there's something like a captcha or another form to fill in later on, you're out of luck. You're also unable to delete saved log-ins, so any log-in you no longer need must be repurposed instead.
Otherwise, there's a lot of power for advanced users. Once you're browsing any site, if you have to log in again for something, you can simply hit the "lock" key, which will plug in your username and password yet again. The same can be done for forms if you're willing to make a preset for that--something just fantastic when you need to enter billing information without killing your thumbs.
Mac users who want to carry over passwords from their browser can also take advantage of cross-platform sync, which will port over log-ins from their desktop to their phone and vice versa with the $35 desktop version.
[via Macrumors]
