Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

How Hotmail lets down its users security-wise compared to Gmail and Yahoo

22 Oct 2012 22 Microsoft, Privacy
How Hotmail lets down its users security-wise compared to Gmail and Yahoo

Post navigation

Previous: Flashing on the Queen’s highway can reveal your identity – a cautionary tale
Next: Spammers exploit open redirects on US government websites
by Graham Cluley

HotmailHotmail lets down its over 350 million users when it comes to security, by not giving them an easy way to tell if their account has been accessed by unauthorised third parties.

With hacks of web mail accounts being worryingly common, you would imagine that any popular online email service would give its users a way to check if their account has recently been accessed from somewhere unusual, or at a time when you weren’t surfing, or from a device that you don’t own.

Google and Yahoo, both arch-rivals of Hotmail, have just such a system.

But where it it on Microsoft’s Hotmail service? Sadly, it doesn’t appear to exist.

Webmail compared for last account activity security

Oh dear.

If you’re a Yahoo user, here’s how you can check when your account was last accessed – and from what IP address.

Click through to account settings, and choose “View your recent sign-in activity”:

Yahoo settings

You will be presented with a list of recent login times. If you wish to see the IP addresses, they are also available via a drop-down option:

Yahoo activity details

With Google Gmail it’s even simpler. At the bottom of your inbox you’ll find a link telling you when your account was last accessed.

Google shouldn’t feel too smug though. Although the company has provided many features designed to stop your Gmail account from being hacked, I notice that at least 18 months ago it was being rather more vocal about telling users the last IP address that accessed their accounts.

Old-style Gmail warning

Today, Google tells you on the main Gmail page what time your account was last accessed, but you have to click deeper to view the history of which IP address your account was accessed from.

New-style Gmail warning

I wonder what drove Google to give less prominence to the “last account activity” information? Could it be that they felt it raised too many questions from non-technical concerned users (“What’s an IP address?”). To their credit, they do have a detailed help page explaining the feature.

Quibbles aside, well done to Yahoo and Gmail for at least making the option available for those web email users who wish to keep an eye on who is accessing their account.

Sadly, if you’re a Hotmail user you aren’t even given the option to check for yourself.

That’s a poor show by Microsoft, the makers of Hotmail.

Contacts in law enforcement tell me that Hotmail *does* store the activity information, and it can be extracted from them (with proper legal paperwork) if a criminal investigation is taking place.. but that’s not much consolation for a battered wife who’s petrified that her partner is secretly reading her email. Or someone who is worried that they might have been hacked.

Microsoft seems to have put lots of effort into rebranding Hotmail as “Outlook” recently – it’s a shame it didn’t also take the opportunity to introduce this fairly simple-to-implement security feature at the same time.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Flashing on the Queen’s highway can reveal your identity – a cautionary tale
Next: Spammers exploit open redirects on US government websites

22 comments on “How Hotmail lets down its users security-wise compared to Gmail and Yahoo”

  1. Lona Wood says:
    October 22, 2012 at 4:06 pm

    I refuse to use or check my Hotmail/ MSN accounts I hate any account that decides to monitor my typing and "suggest" shit wile I am typing as links. If you are reading my e-mails or set up a "helper" like that then I have no privacy and you are worse than the government on "spying". How then would I trust you not to sell or leak my information to the highest bidder….

    Reply
  2. Pierre Moore says:
    October 22, 2012 at 6:00 pm

    Hotmail is really lacking this feature and needs to step up and do something about it. This one day I thought I was hacked because some of my messages were missing. It could of been me removed those, but I wasn’t 100% sure.

    As this article points out there’s no way of checking your login activity details such as the login times, device or location.. on the web interface.

    I called Microsoft, used their forum etc etc but they noone was eligible to provide me that form of “personal information” ….

    This is one of the reasons why I replaced Hotmail with Gmail.

    Reply
  3. YahooFan says:
    October 22, 2012 at 6:09 pm

    I'm a Yahoo user, but I think a point against them is their lack of support for SSL. I'd love to see this fixed.

    Reply
  4. Anonymous says:
    October 22, 2012 at 7:03 pm

    A stranger who lives in another state, and who has been harassing and stalking me online, recently used brute force to crack my Hotmail password. He deleted everything in my account. I realized what he did less than a week after the fact. I phoned Microsoft to find out how I could retrieve the emails, but the Microsoft rep told me that I am out of luck. (Years ago he had also secretly installed keylogger spyware on my computer via infected emails. Now I understand the value of updating my antivirus program every day and scanning all email attachments and links before clicking on them!) I wish I could get the FBI on this SOB.

    Going forward, I never use Hotmail for emails that I think will be of importance or personal interest. I am appalled that Microsoft is so lax regarding Hotmail’s security. Likewise, I am appalled that state and federal laws are so lax regarding internet crimes. Very poor show by Microsoft (and the feds), indeed!

    Reply
  5. the JoshMeister says:
    October 22, 2012 at 7:21 pm

    Graham, what you wrote in your post is indeed correct. However, it's a bit unfair toward Microsoft and seems to incorrectly imply that Yahoo! Mail is more secure. It's not, at least with regard to one very important factor.

    With Hotmail, Microsoft gives you full HTTPS access to your e-mail. That's a major security advantage over Yahoo! Mail.

    With Yahoo! Mail, you cannot access your mail through HTTPS in a browser. All of your e-mails, no matter how private or sensitive, are sent in the clear—in plain, unencrypted text—through the Internet to your browser.

    Anyone who values privacy and security knows that having all your e-mail sent without HTTPS is a really bad thing—especially if you check your mail from public Wi-Fi hotspots, or if you live in a country where you have no expectation of privacy and must assume that any unencrypted communications may be intercepted.

    AOL is another example of a major webmail service where your e-mail isn't sent over HTTPS. (However, a very well-placed source tells me that AOL Alto will finally support "full SSL." I'm still waiting on my invite so I haven't personally verified this yet.)

    Reply
    • Dan D says:
      October 23, 2012 at 2:28 pm

      Email has never been regarded as a secure communications channel. If you have information that is sensitive enough that you feel you need HTTPS, you should reexamine the contents of your email.

      Reply
      • ois says:
        October 23, 2012 at 4:25 pm

        You are kidding with your answer right?
        There are multiple levels that a person can employ to secure the contents of their email.

        People in general get complacent and comfortable and keep using the same password year after year after year. People also beckme ignorant by not enabling security controls that protect them. People in general are ignorant and dont get educated to learn how to protect themselves.

        But at the end of the day it is a free email account. I use such accoumts based on their features and then apply them as I see fit.

        Reply
  6. Weilly Seeder says:
    October 22, 2012 at 9:05 pm

    I am using Hotmail and I have warned 4 times that my account was compromised or someone has/is using my account. I do get this warning sometimes.

    I changed my password and added some information/security to my account.

    The only thing that I cannot do is to check the last time I was using or login to my account.

    It would be great if this feature were added by MS.

    Reply
  7. Paul Ducklin says:
    October 22, 2012 at 9:52 pm

    My first inclination was to agree with you. But then I stopped to think…

    …and found myself wondering, "If free mail hacks really are so common, is it an unquestionably good idea to put anyone who snarfs your webmail password just one click away from a geolocation history of your life?"

    In your example (battered wife hiding from vengeful husband), this means that simply by guessing her webmail password, he can effortlessly get her webmail provider to tell him exactly where she's hanging out – or the route by which she's fleeing – even if she carefully avoids making mention of her location in the emails she sends whilst on the run.

    So perhaps – I'm not sure yet, still deciding – Microsoft has it right to treat your geolocation history as something that is available, but shielded from hackers – and Yahoo/Google have it wrong. I can see why it makes spotting unauthorised logins more obvious – but do they need to be that obvious?

    Reply
    • blake says:
      October 23, 2012 at 2:44 pm

      But then…(continuing the battered wife on-the-run scenario )… she wouldn't be able to see that her webmail had been accessed from another location (eg home) and would assume she's safe. If she could see her history, and suspects nasty-husband knows her password, she has the opportunity to change it… which she'd probably do anyway…

      Reply
  8. Cliff's Esport Corner says:
    October 23, 2012 at 8:19 am

    You can set Yahoo Email to use HTTPS, you just have to do so in the Options, scroll to bottom (Advanced Settings) little box at bottom below font settings.

    Click and Save.

    Reply
    • the JoshMeister says:
      October 23, 2012 at 4:25 pm

      Cliff, that setting doesn't exist on my free Yahoo! e-mail account. For me there's nothing below the "Plain text font" selection under Advanced settings.

      Perhaps that's a feature of Yahoo! Mail Plus, which costs $19.99 per year? If so, it's not mentioned on the Plus signup page for some reason.

      However, paying for Yahoo! Mail Plus *does* get you POP and SMTP access over SSL.

      Really though, SSL access to e-mail (whether HTTPS or POP) is so fundamentally important that it's extremely disappointing that *any* of the major e-mail services neglects to offer some form of encrypted access by default.

      Reply
  9. crates says:
    October 23, 2012 at 9:07 am

    I work in the cybersecurity-for-activists-in-dangerous-countries field (both literally and figuratively). I have to agree with JoshMeister that the lack of full in-session SSL for connections to mail.yahoo.com is a huge, huge, huge problem–far bigger than not being able to see from where your account was last connected to (since few folks are going to pay requisite attention to latter). Cliff's-Esport-Corner–can you post a shot of where you see the "turn on HTTPS" in the Yahoo Mail settings? On my Yahoo Mail, there's nothing underneath the font setting. The only way I know of to encrypt access to a user's Yahoo e-mail account is by paying the USD2/mo for Yahoo Plus and then using POP3/SMTP via a mail client.

    Reply
  10. Gamma says:
    October 23, 2012 at 11:21 am

    Hotmail seems to store passwords in plaintext -.-

    My password has 20 characters. When i want to sign in, hotmail says that the maximum length is 16.

    If i type in the first 16 characters of my password, i can log in.

    Reply
    • Graham Cluley says:
      October 23, 2012 at 12:13 pm

      Yes, we discussed this concern back in August:
      http://nakedsecurity.sophos.com/2012/08/02/maximu…

      All Microsoft systems appear to currently limit passwords to a maximum of 16 characters. Hmm..

      Reply
  11. Brett Greisen says:
    October 23, 2012 at 2:39 pm

    Hotmail accounts are needed to use Microsoft Vault which some hospitals are using to allow patient access to individual medical records (the patient's own).

    A little while ago, I had to notify my primary care MD that a false diagnosis had been posted along with an imaging report. She was able to notify the hospital unit of the wrong posting of a diagnosis on my hospital record visible via the hospital portal.

    The separate physician info/billing portal showed no such diagnosis.

    Reply
  12. MikeP_UK says:
    October 23, 2012 at 2:55 pm

    I have a yahoo.co.uk account but I don't see any of those options mentioned in this story! I also have a hotmail.co.uk account and again there are no security options available. At least, not as far as I can find even using the guide in this story nor the Yahoo Help page!
    So what do I do to get these settings options and set them us for better security?

    Reply
  13. MikeP_UK says:
    October 23, 2012 at 3:07 pm

    What was not mentioned in the steps for Yahoo shown in the article is that you have to be signed to My Y and not just the mail service!

    Reply
  14. Andrew Symmons says:
    October 23, 2012 at 4:11 pm

    COME ON HOTMAIL – KEEP US SECURE OR WE MAY DECIDE TO TERMINATE THESE ACCOUNTS

    Reply
  15. Bob says:
    October 23, 2012 at 9:25 pm

    I've had Hotmail (and more recently Hotmail Plus) for many years, and rarely had a problem. Change the password often.

    If you want secure email, use Hushmail.com. Your recipients also have to have it for secure communications between you and them. Free limited accounts.

    Thanks for the article, Graham.

    Reply
  16. Cliff's Esport Corner says:
    January 11, 2013 at 6:19 pm

    Ah sorry to people that responded to my post, didn’t look back at the comments, just stumbled on this today with Google looking for something else.

    Couple things, I am using Yahoo Email direct page, not the ! stuff.

    They are actually a little different at times.

    I can access it from Windows 7 laptop and my iMac running Lion.

    There has been at least one major update to Yahoo email since I posted first comment, so things may have changed for others since then?

    It may have been a Beta option when I first set it up, honestly can’t remember.

    I have been using Yahoo email for a long time, think I started back in early or mid ’90s, so I might have been grandfathered on somethings even though I am on a free account.

    I don’t yet pay for any email accounts, if I do that it will be on my own server & etc, but that is probably still a few years off, unless something happens that makes it critical before then.

    If anyone wants to ask me more questions or anything, they can reach me through my website.

    Google will bring it up & my Twitter is there as well.

    Don’t think I should post those links here without prior permission.

    ~Stay Safe

    Cliff

    Reply
  17. rajarajan says:
    December 18, 2013 at 2:45 am

    http://www.microsoft.com/en-us/account/security/recentactivity.aspx

    Reply

What do you think? Cancel reply

Recommended reads

Dec22
by Paul Ducklin
0

S3 Ep114: Preventing cyberthreats – stop them before they stop you! [Audio + Text]

Nov03
by Paul Ducklin
4

The OpenSSL security update story – how can you tell what needs fixing?

Nov22
by Paul Ducklin
0

How to hack an unpatched Exchange server with rogue PowerShell code

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP