You might like

22 Responses to How Hotmail lets down its users security-wise compared to Gmail and Yahoo

  1. Lona Wood · 730 days ago

    I refuse to use or check my Hotmail/ MSN accounts I hate any account that decides to monitor my typing and "suggest" shit wile I am typing as links. If you are reading my e-mails or set up a "helper" like that then I have no privacy and you are worse than the government on "spying". How then would I trust you not to sell or leak my information to the highest bidder....

  2. Pierre Moore · 730 days ago

    Hotmail is really lacking this feature and needs to step up and do something about it. This one day I thought I was hacked because some of my messages were missing. It could of been me removed those, but I wasn't 100% sure.

    As this article points out there's no way of checking your login activity details such as the login times, device or location.. on the web interface.

    I called Microsoft, used their forum etc etc but they noone was eligible to provide me that form of "personal information" ....

    This is one of the reasons why I replaced Hotmail with Gmail.

  3. YahooFan · 730 days ago

    I'm a Yahoo user, but I think a point against them is their lack of support for SSL. I'd love to see this fixed.

  4. Anonymous · 730 days ago

    A stranger who lives in another state, and who has been harassing and stalking me online, recently used brute force to crack my Hotmail password. He deleted everything in my account. I realized what he did less than a week after the fact. I phoned Microsoft to find out how I could retrieve the emails, but the Microsoft rep told me that I am out of luck. (Years ago he had also secretly installed keylogger spyware on my computer via infected emails. Now I understand the value of updating my antivirus program every day and scanning all email attachments and links before clicking on them!) I wish I could get the FBI on this SOB.

    Going forward, I never use Hotmail for emails that I think will be of importance or personal interest. I am appalled that Microsoft is so lax regarding Hotmail’s security. Likewise, I am appalled that state and federal laws are so lax regarding internet crimes. Very poor show by Microsoft (and the feds), indeed!

  5. the JoshMeister · 730 days ago

    Graham, what you wrote in your post is indeed correct. However, it's a bit unfair toward Microsoft and seems to incorrectly imply that Yahoo! Mail is more secure. It's not, at least with regard to one very important factor.

    With Hotmail, Microsoft gives you full HTTPS access to your e-mail. That's a major security advantage over Yahoo! Mail.

    With Yahoo! Mail, you cannot access your mail through HTTPS in a browser. All of your e-mails, no matter how private or sensitive, are sent in the clear—in plain, unencrypted text—through the Internet to your browser.

    Anyone who values privacy and security knows that having all your e-mail sent without HTTPS is a really bad thing—especially if you check your mail from public Wi-Fi hotspots, or if you live in a country where you have no expectation of privacy and must assume that any unencrypted communications may be intercepted.

    AOL is another example of a major webmail service where your e-mail isn't sent over HTTPS. (However, a very well-placed source tells me that AOL Alto will finally support "full SSL." I'm still waiting on my invite so I haven't personally verified this yet.)

    • Dan D · 729 days ago

      Email has never been regarded as a secure communications channel. If you have information that is sensitive enough that you feel you need HTTPS, you should reexamine the contents of your email.

      • ois · 729 days ago

        You are kidding with your answer right?
        There are multiple levels that a person can employ to secure the contents of their email.

        People in general get complacent and comfortable and keep using the same password year after year after year. People also beckme ignorant by not enabling security controls that protect them. People in general are ignorant and dont get educated to learn how to protect themselves.

        But at the end of the day it is a free email account. I use such accoumts based on their features and then apply them as I see fit.

  6. Weilly Seeder · 730 days ago

    I am using Hotmail and I have warned 4 times that my account was compromised or someone has/is using my account. I do get this warning sometimes.

    I changed my password and added some information/security to my account.

    The only thing that I cannot do is to check the last time I was using or login to my account.

    It would be great if this feature were added by MS.

  7. Paul Ducklin · 730 days ago

    My first inclination was to agree with you. But then I stopped to think...

    ...and found myself wondering, "If free mail hacks really are so common, is it an unquestionably good idea to put anyone who snarfs your webmail password just one click away from a geolocation history of your life?"

    In your example (battered wife hiding from vengeful husband), this means that simply by guessing her webmail password, he can effortlessly get her webmail provider to tell him exactly where she's hanging out - or the route by which she's fleeing - even if she carefully avoids making mention of her location in the emails she sends whilst on the run.

    So perhaps - I'm not sure yet, still deciding - Microsoft has it right to treat your geolocation history as something that is available, but shielded from hackers - and Yahoo/Google have it wrong. I can see why it makes spotting unauthorised logins more obvious - but do they need to be that obvious?

    • blake · 729 days ago

      But then...(continuing the battered wife on-the-run scenario )... she wouldn't be able to see that her webmail had been accessed from another location (eg home) and would assume she's safe. If she could see her history, and suspects nasty-husband knows her password, she has the opportunity to change it... which she'd probably do anyway...

  8. Cliff's Esport Corner · 729 days ago

    You can set Yahoo Email to use HTTPS, you just have to do so in the Options, scroll to bottom (Advanced Settings) little box at bottom below font settings.

    Click and Save.

    • the JoshMeister · 729 days ago

      Cliff, that setting doesn't exist on my free Yahoo! e-mail account. For me there's nothing below the "Plain text font" selection under Advanced settings.

      Perhaps that's a feature of Yahoo! Mail Plus, which costs $19.99 per year? If so, it's not mentioned on the Plus signup page for some reason.

      However, paying for Yahoo! Mail Plus *does* get you POP and SMTP access over SSL.

      Really though, SSL access to e-mail (whether HTTPS or POP) is so fundamentally important that it's extremely disappointing that *any* of the major e-mail services neglects to offer some form of encrypted access by default.

  9. crates · 729 days ago

    I work in the cybersecurity-for-activists-in-dangerous-countries field (both literally and figuratively). I have to agree with JoshMeister that the lack of full in-session SSL for connections to mail.yahoo.com is a huge, huge, huge problem--far bigger than not being able to see from where your account was last connected to (since few folks are going to pay requisite attention to latter). Cliff's-Esport-Corner--can you post a shot of where you see the "turn on HTTPS" in the Yahoo Mail settings? On my Yahoo Mail, there's nothing underneath the font setting. The only way I know of to encrypt access to a user's Yahoo e-mail account is by paying the USD2/mo for Yahoo Plus and then using POP3/SMTP via a mail client.

  10. Gamma · 729 days ago

    Hotmail seems to store passwords in plaintext -.-

    My password has 20 characters. When i want to sign in, hotmail says that the maximum length is 16.

    If i type in the first 16 characters of my password, i can log in.

  11. Brett Greisen · 729 days ago

    Hotmail accounts are needed to use Microsoft Vault which some hospitals are using to allow patient access to individual medical records (the patient's own).

    A little while ago, I had to notify my primary care MD that a false diagnosis had been posted along with an imaging report. She was able to notify the hospital unit of the wrong posting of a diagnosis on my hospital record visible via the hospital portal.

    The separate physician info/billing portal showed no such diagnosis.

  12. MikeP_UK · 729 days ago

    I have a yahoo.co.uk account but I don't see any of those options mentioned in this story! I also have a hotmail.co.uk account and again there are no security options available. At least, not as far as I can find even using the guide in this story nor the Yahoo Help page!
    So what do I do to get these settings options and set them us for better security?

  13. MikeP_UK · 729 days ago

    What was not mentioned in the steps for Yahoo shown in the article is that you have to be signed to My Y and not just the mail service!

  14. Andrew Symmons · 729 days ago

    COME ON HOTMAIL - KEEP US SECURE OR WE MAY DECIDE TO TERMINATE THESE ACCOUNTS

  15. Bob · 729 days ago

    I've had Hotmail (and more recently Hotmail Plus) for many years, and rarely had a problem. Change the password often.

    If you want secure email, use Hushmail.com. Your recipients also have to have it for secure communications between you and them. Free limited accounts.

    Thanks for the article, Graham.

  16. Cliff's Esport Corner · 649 days ago

    Ah sorry to people that responded to my post, didn't look back at the comments, just stumbled on this today with Google looking for something else.

    Couple things, I am using Yahoo Email direct page, not the ! stuff.

    They are actually a little different at times.

    I can access it from Windows 7 laptop and my iMac running Lion.

    There has been at least one major update to Yahoo email since I posted first comment, so things may have changed for others since then?

    It may have been a Beta option when I first set it up, honestly can't remember.

    I have been using Yahoo email for a long time, think I started back in early or mid '90s, so I might have been grandfathered on somethings even though I am on a free account.

    I don't yet pay for any email accounts, if I do that it will be on my own server & etc, but that is probably still a few years off, unless something happens that makes it critical before then.

    If anyone wants to ask me more questions or anything, they can reach me through my website.

    Google will bring it up & my Twitter is there as well.

    Don't think I should post those links here without prior permission.

    ~Stay Safe

    Cliff

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.