How (I think) my windows live account got compromised

This message kind of follows on from the post about my Fiancée’s hotmail account being compromised, and her subsequent use of much better passwords.

About a week ago I got a message from my brother telling me that my windows live messenger account was spamming him. This was confirmed a little later by another friend but as I was travelling in Germany at the time for work, I was not able to log on and try to change my password immediately. When I was able to sit down with my laptop and internet access, I was pleased to find that I could still log in to windows live and I promptly changed my password.

This compromise was a bit of a surprise and lead me to think about how my account could get compromised, and what I lessons I could learn from the compromise. This post is about how I think my account was compromised, and how I have further strengthened my security since.

While my windows live password was fairly secure (it didn’t conform to any of the common patterns used for passwords) and it wasn’t overly short. Because of this, I’m pretty confident that a brute force attack over the internet against the windows live authentication services would take too much time to make it a reasonable attack vector; it would be prohibitively slow. I would also expect the windows live authentication services to have some kind of security measure to counter brute force attacks, though I’m not sure about that.

When I set up my windows live account many years ago, I wasn’t really bothered about security and I used the same password for many of my online accounts. There is another great xkcd comic about this:xkcd: Password Reuse

When I realised that this was insecure I started to change some of my accounts to use a slightly different password where a small number of characters were different. The changed characters were chose depending on which site or service I was logging in to, but I had never updated the password on my windows live account because I never logged in manually; I had windows live messenger set to save my password and log in automatically. This meant that I was still probably reusing a password with another account somewhere else that I had forgotten about.

My theory of how they got my password is that a website or service that I had forgotten about (because I haven’t used it for years) has been compromised and had revealed my email address and password. The password was probably stored (and therefore revealed) as plain text. I think this because even if my password was hashed but not unsalted, the attacker would have had to use a very large rainbow table for it to cover my password, and this would have also taken so much time that it would not have been worth it for the attacker. The attacker would surely just go for the low hanging fruit, rather than spend ages on a single account. I think that once the attackers got the email/password combination, they probably just tried it on a bunch of common services that they could use to send spam messages (hotmail, facebook, twitter, skype, WLM, iCloud, etc), and found that one of my accounts had the same password.

I use lastpass these days, with two factor authentication using google authenticator app on my phone, and have been going through my various accounts, making sure they are using unique and secure passwords (the lastpass security challenge is great for this – I am now up to 92.6% secure) but as I mentioned before, I hadn’t logged in to windows live manually for years, so my vault didn’t contain that password, and so couldn’t warn me that I was still reusing a password. So I have racked by brain to try to remember anywhere else that I may have an account and made sure that I checked those passwords too. I’m sure I will have missed some, but hopefully they are ones that I don’t really care about or use these days.

My Fiancée is Using Better Passwords Than Me!

I upgraded my Mac laptop to OS X 10.8 Mountain Lion a few weeks ago, and at the same time I decided to turn on FileVault for (almost) full disk encryption. I’m not paranoid, but If I want to get into infosec, I should at least try to be secure myself.

Around the same time my fiancée had said that her Windows laptop was running slow, and then her hotmail account got compromised. I checked her laptop for anything malicious (all seemed ok) but I didn’t have time to try and find out why it was running slow right then, so I set her up with an account on my Mac laptop. I had not enforced any password policy on my Mac laptop (I’m not even sure how to do that – I’ll have to find out soon), so I asked her if she would mind telling me what password she had used because her password would be able to unlock the FileVault (almost) full disk encryption and her password could be the weak link.

She obviously trusts me because she told me, and I knew from experience with John The Ripper/Hascat/etc that it would easily be cracked using brute force by the proper tools in a matter of seconds because it followed a very common pattern. It turned out that her hotmail account was using a similarly simple password, so it was no great surprise that it had been compromised.

I explained with the help of this great XKCD comic that a password can be hard to crack, but easy to remember:

She is now using a passwords around 30 characters long! This means some of her passwords are probably stronger than some of mine… I have some catching up to do!