Public Release: 

Free E-mail Services Are Vulnerable To Hackers

New Scientist

Free Web-based e-mail services are vulnerable to hackers, according to an analysis by the Internet Security Advisors Group, a consultancy in Severna Park, Maryland. In its security probe, ISAG focused on the three biggest and most firmly established Web-based free e-mail services: Microsoft's Hotmail, YahooMail and Excite Mail. It found that all three failed to provide a basic security feature that helps keep hackers out.

The major mistake made by all the service providers was to allow users an unlimited number of attempts to log on, rather than locking them out after a couple of attempts if they got the password wrong. This, says Ira Winkler, president of ISAG, makes it possible for hackers to guess a password by brute force-using what is known as an automated dictionary attack, which tries vast numbers of different passwords until the correct one is found.

This, Winkler says, is a basic information security issue the service providers should have got right. In addition, ISAG found that many Web-based e-mail systems also fail to encrypt their passwords when they are sent over the Net, making them easy prey for hackers to intercept. Some hackers collect passwords, logging into e-mail accounts and sending bogus messages.

Last week, Hotmail tightened its security in response to ISAG's findings. Its log-in protocol now incorporates a slight delay when the password is entered. For each wrong attempt the delay increases, making any automated attack take an unfeasibly long time. "There's no impact on members who log in successfully," says Laura Norman, a project manager at Hotmail, "but this should deter potential dictionary attacks." Yahoo has also made changes to its password security system and Excite is believed to be considering the matter.


Author: Duncan Graham-Rowe
New Scientist issue 8th May 1999


Disclaimer: AAAS and EurekAlert! are not responsible for the accuracy of news releases posted to EurekAlert! by contributing institutions or for the use of any information through the EurekAlert system.