UPDATE (2019/04/12): The site I was using for Password Fault no longer worked. They have switched to Passwordfault.com, however, their site is not secure (non-https) and therefore has been updated to Comparitech.


Not too long ago Microsoft’s free webmail, Hotmail, got a facelift and a name change. The new Outlook as it is called is now forcing its recovery options on the end user, making them chose between only two options, cell or email. The problem is, not everyone has a cell phone or an alternate email.

As most of you know I am a manager at a public computer centre in Montreal, Canada, and on a daily basis I deal with several patrons whom most of which use Outlook as their email of choice. A few weeks ago, an elderly woman who uses Outlook to converse with her family, got a message saying she had to enter her recovery options in order to continue, it also had a Skip button (which most places due when it comes to these options) but also stated she had 7 days before it became mandatory.

outlookform

This week I had a separate patron come to me with the same issue, but now the skip button is gone. It is now mandatory, in order to use Outlook that you either have a cell phone or alternate email. I would say that 90% of the patrons who use the system at the Computer Centre don’t have either of these, nor do they want them! Outlook makes it very hard for anyone without an alternate email or a cell phone to get access to a hacked account. On several occasions I have helped patrons fill out the form (click on the image to the left) to no avail as it seems no matter how much info is entered, no one can remember everything they have done in the last year etc. The fact is, once your account is hacked, its almost impossible to get your account back UNLESS you have an alternate email or cell phone.

But here is something to struck my mind while conversing with one of the volunteers here about this matter. Why not attack the issue head-on. Entering an alternate email or a cell phone number does NOT make your account more secure, it simply gives you options to RECOVER a hacked account. In stead of giving options on how to recover a hijacked account, how abou putting in more secure criteria for the passwords? Currently the only criteria they enforce is “8-character minimum; case-sensitive“, which means I could user matthewk as a password, not exactly secure. What they should do, on top of the “8-character minimum; case-sensitive” is add “Must contain one (1) UPPER-CASE letter, one (1) Number (1234567890), and one (1) special character (!@#$%^&*()_+-=}{[]”:;’?><,./) at minimum“. This makes a password much more secure.

Lets do the math shall we (full table will be below for comparison). Lets assume most people use lower-case letters, and they use the minimum 8 characters. The total combinations possible as 26^8 or 26*26*26*26*26*26*26*26 which is 208,827,064,576 combinations, looks like a lot, but with today’s computing a hacker can crack that in less than an hour, especially sine most people use common words and names (most passwords are hacked with a dictionary attack). Now lets assume that they use an upper case in there some where, that makes it 52^8 which is 53,459,728,531,456 combinations, a little bit larger of an amount, but again, being letters only and more than likely forming common words, maber a few days to crack.

So if Upper-case and Lower-case and 8 character minimum are not enough, what is? Well I personally recommend at least 12 characters using letters (both upper and lower case), numbers and special characters, thsi prevents a dictionary attack and would force a hacker to use a brute-force attack which to put it simply the more complex it is the longer it takes to crack, too long to crack the hacker gives up. So the match for the brute force would be be this ~96^12 or 612,709,757,329,767,363,772,416 possible combinations ot roughly 11,461,146,065 times more combinations than Upper-case and Lower-case combined at 8 characters long.

Methodx^yCombinations
Single Case x 826^8208,827,064,576
U/L Case x 852^853,459,728,531,456
Full List x 1296^12612,709,757,329,767,363,772,416

The other practice that should be enforced is the forcing to change the password every 6 months, this would almost guarantee that your account does not get hacked, unless of course you are being target by a real experienced hacker who has hit places like the US Government and other high security sites. And if you are a target of one of these types of hackers, then your email being hacked is the least of your worries. In an case the above recommendations should thwart the attempt of the low life hackers who normally hack accounts. If Hotmail spent as much time enforcing these instead of how to recover your email, there would be less email hijacking. They should be preventing the problem, not just giving you a way to get access to your account and have it happen all over again.

Now to put it into full perspective, if the numbers given above for a secure password are a little overwhelming and you don’t know how easy it would be to crack, I took a look at PassFault website Comparitech Website, and took a randomly generated password, 12 characters long, with punctuation “X2:a9/X+/XLd” and tested it, it came back stating the time to crack it via conventional ways would be 1,575,924 centuries. I then took a randomly generated password, 8 characters long, Upper and Lower-case WITH numbers – “L58w8zaP” and it came back with 1 month, 4 days. How about JUST upper and lower case? 3 days. And single case? less than 1 day.

So, lets put that table back up with the times it takes to hack:

Methodx^yCombinationsTime to Hack*
Single Case x 826^8208,827,064,576> 1Day
U/L Case x 852^853,459,728,531,4563 days
Full List x 1296^12612,709,757,329,767,363,772,4161,575,924 centuries

*Time to hack varies depending on characters used (96^12 was as low as 3 years 6 months to crack, using password “W3Z4)9Re7m68”)

Not sure about you, but I would go with a the centuries option….

On a side personal note, I used our server password, which is 32 characters long and the response back from the server was “7.553605719692738e+36 centuries” or roughly 7,553,605,719,692,738,000,000,000,000,000,000,000 centuries, so pretty much not even worth trying for the amateur. The reason we have a 32 character password? Cuz we had a simple 8 character password, got hacked, and lost a lot of data because of it.

[UPDATE] I seem to have forgotten to add a little bit of info.  I ran a basic 8 character password as described above (with all character possibilities) which I did not mention in my table.  I used the randomly generated password “7}]A5^jf” which came back as 1 year, 8 months, which, if you are changing your password every 6 months should be sufficient.  So 96^8 is ok. [/UPDATE]

Sites used in this post:
PassFault website Comparitech Website
Free Password Generator

Also a good read:
http://goo.gl/e205qf