Yesterday I changed my Windows Live password. I’m a little embarrassed to admit that this is the first time I’ve changed it, and I’ve been using it for the best part of 10 years, back when it was for my Hotmail account.
The main reason why I’ve changed it is because I’ve had a couple of friends who have had their accounts compromised to send junk email. Now this isn’t a simple case of spam with their email address as the ‘From:’ address, this is where spammers have sent email from their account, using the contacts in their address book. The spam emails were in their sent messages folder.
There are several ways that this could happen, and this could be spammers gaining access to people’s accounts using a flaw in Microsoft’s systems. However, I view this as unlikely; more probable is people giving out their Windows Live passwords to other web sites.
I think many of us are familiar with sites that let you invite your friends, by giving the site your email username and password. You should never do this. Giving someone else your password, whether it’s a person or a web site, gives them the same level of access to your account as you have. They could log in, delete all of your old emails, change your name to Engelbert Slartibartfast, spam all your contacts, change your signature – anything, really. The only way to revoke access is to change your password.
Either a site which has stored people’s Windows Live username and passwords has gone rogue and given these details to spammers, or their database has been hacked.
As far as I am aware I have never given my password to anyone, and to my knowledge I’ve not had my account accessed in any unauthorised way. But have changed my password just in case.
Systems like OAuth are a better solution here. If a web site wanted to import your contacts, it can use OAuth to request that information from Windows Live without needing your password, provided you authorised it. And, you could revoke its access to your account at a later date. Twitter and Facebook both do this really well.
In any case, my old password was pretty weak – it didn’t have any uppercase letters or special characters. I’ve now got a much stronger one that I generated using 1Password, so it should be more resistant to brute force attacks.