By any measure, end users are still using passwords that are far too simple. The Gawker Media hack from 2010, in fact, showed "123456" was the most common password in Gawker's database. Well, Microsoft's decided that if folks aren't going to pick strong passwords, at the very least Microsoft can keep them from picking the most egregious, easy passwords to hack.
service will now prevent new customers from selecting passwords that are too easy to guess, such as "password" or the aforementioned "123456." Those sorts of passwords, besides being easy to guess, are particularly vulnerable to brute force or “dictionary” attacks.
In addition to preventing users from choosing a weak password when signing up for a new account, the changes will also prevent already existing users from doing the same when changing their passwords. Sometime in the future, the system may proactively force users to change their passwords, as well. The changes will be rolling out "soon."
Microsoft has, for a long time, had a password checker
. Users can enter their password into it and the system will judge if it is strong enough.
What is interesting is that as hackers have become more sophisticated, what used to be a strong password is no longer so. Microsoft says a strong password should contain at least 14 characters, for one, which isn't exactly easy to remember without a program such as LastPass or Roboform.
Hotmail is adding another feature, as well. How often have you seen what appears to be a spam or phishing email come from one of your contacts? That usually means that your friend has had a virus infect their system, or else their account has been hacked because of a (ahem) too easy password. And naturally, it's that person's friends that usually spot the problem first, when they get such compromised email.
The new Hotmail feature allows users to report such an email directly to Hotmail. Microsoft is adding a "My friend's been hacked" option on the Hotmail drop-down "Mark As" menu. Once you report the email, "Hotmail takes that report and combines it with the other information from the compromise detection engine to determine if the account in question has in fact been hijacked."
In addition, Microsoft will share any such data with Yahoo or Google, so even if the email came from Gmail or Yahoo! mail, you'll still be helping out your friend.
These are nice features, but they are still not going to get us to move from Gmail. Gmail has the best spam detection we've ever seen, and there's that Google+
service you might have heard of.