Blog

A while back, on a local software developer’s group mailing list, someone challenged me to recent offer examples of Microsoft Executives approving insecure features in their products. I was able to quickly offer two at the time, but I just found another one.I was trying to get a free copy of Windows Vista beta 2 on CD from microsoft.com, and of course you have to sign in with your “Windows Live ID”. I can never remember my password for that, but I got my email address right. How do I know that? Because their signing form was kind enough to tell me that. Your email address is correct, but the password is wrong. Sounds like a user friendly feature right? It’s also user friendly for hackers.All a hacker has to do is find a correct email address in their system, which they kindly offer as part of the incorrect login process. He can then brute force his way into the site by trying passwords over and over. Almost every other website on the planet is smart enough to just tell you “Either your email address or your password is incorrect”, and you have to figure out which one it was.Microsoft’s ‘improved security focus’ is what, 4 years old now? Yet they still continue to expose their customers to hackers with such user friendly, yet insecure features.