Microsoft account password: 16 characters is too long to protect Outlook.com & Skydrive?

You probably know that Microsoft’s Hotmail is still touted as the “world’s largest e-mail service, with 324 million members.” The NYTimes reported, “But Gmail, only six years old, already has 278 million, and Microsoft was getting nervous.” So it was “Goodbye Hotmail, Hello Outlook.com.” Since that preview two weeks ago, Microsoft Windows Live vice president Chris Jones reported that as of August 14^th, “more than 10 million people have signed up and started using Outlook.com.” Of course, if you happen to be logged into Hotmail while visiting Outlook.com then you are automatically “upgraded.”

At the same time as announcing 10 million Outlook.com users, Microsoft brought SkyDrive desktop apps out of preview:

• SkyDrive.com – New, modern design for desktop and tablet browsers with instant search, contextual toolbar, thumbnail multi-select, drag-and-drop organization, and HTML5 sorting
• SkyDrive for Windows desktop & OS X – Faster uploads for people around the world and tons of bug and performance improvements under the hood
• SkyDrive for Android – A new app that lets you access, upload and share from Android phones
• SkyDrive for developers – Apps built using our SkyDrive API can now store or access any type of file in a person’s SkyDrive, plus there’s a new, easy-to-use file picker API for websites (similar to our file picker for Windows 8 apps)

When talking about why versatility in cloud storage is so important, Microsoft said, “We believe that your files are not just bits to be synced-and they’re certainly not to be scanned to serve advertising. Your files represent possibilities.“ While the new design and features look good, keep in mind that your Microsoft account system password is tied to both your e-mail and your SkyDrive which may be packed full of goodies and make it a juicy target to malicious hackers. So it’s disturbing that Microsoft believes an account password over 16 characters is too long to protect all your precious ‘possibilities.’

Microsoft’s Eric Doerr addressed this issue by writing, “Password length – We are working on increasing this. Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it’s a bigger change than it should be and takes longer to get to market. It’s also worth noting that the vast majority of compromised accounts are through malware and phishing. The small fraction of brute force is primarily common passwords like ‘123456’ not due to a lack of complexity.”

That’s one of my security concerns, and while “a password not being enough” addresses those security concerns, it also raises the following a privacy concern.

After previously growing tired of the continued requests for additional personal information such as a phone number on the landing page for Hotmail, and no “skip” button option, I asked Microsoft, “Other than feeding more private information into the system, is there a way to make this go away? It’s particularly annoying if a person has the email forwarded to another address.” (Meaning an alternate address is already tied to the account.) I reminded the Mighty M that Google has been bashed in the past when trying to get users’ mobile phone numbers tied to accounts. “There’s already a security question setup, so why make this the default landing page and continue to ask for more information?”

Microsoft gave me this background information; “Customers are not required to use account proofs, they are offered strictly for customer protection and there are several options available, including:”

• Account Recovery Proofs
  • Users have the ability to setup new proofs used to recover hijacked accounts. These include SMS to a mobile phone and login from a trusted PC.
  • Once first proofs are set, future changes or additions are only possible if a proof is used to verify the proper account owner. Hotmail is the first web-based email provider in the industry to provide this.
• Single-Use-Code
  • Allows users to request a code in place of their account password, to be sent to their mobile device to have better security when using a public computer, e.g. internet café

This was followed up with the logical article “Keeping your Microsoft account more secure” on The Windows Blog. One of the ways suggested to help you protect yourself was “Add security proofs to your account, and check them regularly to ensure they are up to date. You can add a phone, email address, or trusted PC as a proof, and these are used to recover your account if you ever lose access. Here’s how.”

While the security freak in me can see the wisdom in it, I’m a freak about privacy too and don’t want to hand out any additional personal information. Maybe I’m the only one who would just as soon rather have a killer super-long password chocked full of characters that isn’t reused anywhere else to protect all those files and emails that ‘represent possibilities‘?

Like this? Here’s more posts:

• EFF: Americans may not realize it, but many are in a face recognition database now
• HOPE 9: Whistleblower Binney says the NSA has dossiers on nearly every US citizen
• NSA Whistleblower Drake: You’re automatically suspicious until proven otherwise
• Doubly Ludicrous: DEA war on drugs ‘failed’ so why log us via license scanners?
• Perfect, persistent, undetectable hardware backdoor
• Unblinking surveillance stare: Army’s 7-story flying football field-sized blimp
• DEFCON Kids: Hacking roller coasters and the power grid with cell phones
• Kingpin aka Joe Grand of Prototype This: The Birth of Hardware Badge Hacking
• Leak Police have gone crazy: Danger Room under fire for leaking imaginary weapon
• Microsoft & NYPD launch an all-seeing Big Brother crime & terrorism prevention system
• Hacking Humanity: Human Augmentation on the Horizon
• WikiLeaks dumps Stratfor email dirt on TrapWire, a CIA-connected global spying system
• Stealthy Wi-Fi Spy Sees You Through Walls Thanks to Your Wireless Router

Follow me on Twitter @PrivacyFanatic