Windows Live Passwords: A Lesson in Security and Frustration


I have learned the hard way how important a good password management plan is. My windows live account is easily my most used account. I have had it hacked once and ever since then I’ve taken care to carefully follow my password management plan. That plan includes using password management tools (such as KeePass) and using complex, unique and expiring passwords across services. Since implementing that process with Windows Live I’ve realized the password expiration and reset process for Live accounts is broken.

No warnings

This all started with me making the conscious decision to implement expiring passwords in Windows Live. That all started with checking the “Make my password expire…” checkbox.

pwchk

You would think doing this would result in friendly reminders a few days before the expiration date that your password is expiring, right? WRONG. Unlike expiring Windows passwords, expiring Live passwords are really not handled at all as far as I can tell. Sites that have implemented Windows Live logon start providing you with non helpful errors when trying to access live services.

Inconsistent messages

When trying to sign into Hotmail via the web you’ll get a “This site may be experiencing a problem”

pwerror

When trying to sign into Windows Live Messenger you get a “…there is a problem with your Windows Live ID.”

wlmerror

As you can see the messages are inconsistent and are even worse on devices like the XBOX 360 and Windows Phone.

Broken process

So let’s say you’ve been through this headache a few times before, if you knew what the problem was you’d be able to change your password easily right? WRONG.

If you try to logon to a site like https://account.live.com to change the password in this instance you get the same error as you got when trying to logon to Hotmail via the web.

You have to find your way back to the Windows Live logon page and click the “Can’t access your account?” link.

cantaccess

Yet that is no easy feat either, especially if you’ve ever told Live to remember your logon information. It normally takes a series of cache clearing and IE restarts and sometimes even Windows restarts to get to that point.

So after you do get to that point there would be a choice that says “My password has expired” right? WRONG.

You have to select “I forgot my password.” Which in my case isn’t true at all. The other two options don’t get you anywhere close to where you need to be and normally result in the same incorrect errors as above.forgot

This takes you through a CAPTIA…

captia

and then a reset using one of four options.

resetoptions

At that point you’re finally back to where we all started. Selecting your password and deciding whether to check the “Make my password expire…” checkbox.

pwchk

For me the answer is to always check it; but do you think a normal person would ever go through this again?

success

Microsoft… fix this.

A normal person is the one who most needs to be persuaded to engage in good password management practices yet the lack of process and common sense you must go through with Live passwords is a HUGE barrier to entry.

Let’s face it a lot of things need to be fixed here. Yet, the first on this list would probably have the most impact. Just do password expiration reminders like Windows does.

  1. You should be reminded your password is about to expire across any device or website that uses the Live logon
  2. If your password has expired the messages should be clear and consistent across any device or website that uses the Live logon
  3. Resetting an expired password should be an option. I didn’t “forget”

Microsoft, to provide a consumer focused service you must have consumer focused processes. This is obviously not the case here. You can do better, and I, as an avid user, expect you to.

Advertisements
Tagged with: , ,
Posted in Live, Microsoft

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: