Freemail Vulnerabilities
By Ira Winkler  February 10, 1999

If you have an account on Hotmail, Yahoo!, or Excite, it's vulnerable to

Free email services are a common feature on portal sites, but some of them
have serious security vulnerabilities-- specifically, Yahoo! Mail, Excite
Mail, and Hotmail. 

First, these three services allow an unlimited number of log-on attempts. 
This means that malicious Internet users can perform password guessing and
"brute force" password attacks against accounts on those systems. (After
three failed log-in attempts, Yahoo! does ask the supposed user if they
require help. However, additional log-in attempts are not prevented.) 

Second, the user is not notified when a number of failed log-in attempts
have occurred. If a password attack had been attempted against a user
account, the user has no way of knowing. 

These vulnerabilities affect a lot of Internet surfers. Free email
services are extremely popular as a Web-based alternative to regular
Internet service provider accounts. The ability to access mail from any
Web browser and a certain level of Internet anonymity are great advantages
that these accounts offer. Security, however, is a distinct disadvantage. 

The problems probably are not limited to Yahoo!, Excite, and Hotmail. To
test whether a particulare site is vulnerable to a brute-force attack,
simply try entering incorrect passwords. If the system allows more than
ten invalid password entries without locking out the account, then it
probably allows an unlimited number of password-cracking attempts. 

Password crackers attempt to obtain an account's password by exhaustively
guessing word and number combinations. For example, an attacker may use a
dictionary as the source of words. More sophisticated password crackers
will use word-and-number combinations, such as star99. The most
time-consuming technique is to try every possible combination of letters,
numbers, and special characters. Such attacks can easily be automated.
Password cracking is an extremely common hacker technique. 

[Password Cracking != Password Brute Forcing. Very few hackers
rely on brute forcing as it takes an incredibly long time to
complete, regardless of resources.]

To prevent brute-force attacks, a security function should lock an account
after an excessive number of failed log-in attempts, typically three to
five. Once an account is locked, the user should be emailed about the
failed log-in attempts and told to contact the system administrators, who
will verify the user's identity. While this would cause a temporary
interruption of service, it would prevent the account from being
compromised. This is a basic security practice that is built into most
computer operating systems. 

[And once the user is locked out after these attempts..
mail is sent to them. How do they login to check that mail? Catch-22?]

Admittedly, these vulnerabilities are extremely basic. I was not expecting
them to exist on all the systems I examined. I take their presence as an
indication that security was not a crucial step in designing these

While the sites all state that users should choose their passwords well,
they do not account for attacks that can compromise even the best
passwords.  This leaves users, who number in the thousands or even
hundreds of thousands (industry numbers measure accounts, not the number
of users), vulnerable to someone with even trivial programming and hacking

While no attacks have been reported, it is likely that they were
attempted.  It is also a given that they will be attempted and successful
unless action is taken. 

I contacted Yahoo! and Excite press liaisons about this issue and received
no official reply. Hotmail could not be reached by telephone, and email
messages to its technical support groups were not returned. 

What You Can Do

Users can't currently do much to prevent their accounts from being
compromised. However, until the services redesign their log-in process,
surfers should be aware that an attacker may be able to access email
messages and other information stored on the system. Attackers may also be
able to assume your identity online. Accordingly, you should delete all
sensitive messages and not use the accounts to receive sensitive messages. 

The best thing you can do is contact your service, let it know how
important security is to you, and tell it that you expect it to correct
this problem.  You can also recommend that it implement the secure socket
layer (SSL)  protocol for log ins and accessing your information. SSL
encrypts the data that you send and receive from a website and has no
discernible effect on your system. This protects your information from
being read by people using sniffers to read information on the Internet as
it is being sent. 

Picking a Good Password

Although no one is exempt from a brute-force attack, taking a few
precautions can make it significantly harder for others to guess your

Many people pick passwords that they can easily remember. Unfortunately,
that can translate into being easily guessed if someone has minimal
knowledge about you. When you choose a password, make sure that it is
unusual and not based on personal information or the website itself. For
example, I'd imagine that hundreds of people have some variation of the
word Yahoo for logging into Yahoo! Mail. 

One scary aspect of free email accounts is the measures put in place to
help users remember their passwords. Most Web portals realize that their
visitors subscribe to many portals or visit the site infrequently, and
they have a feature to help people who have forgotten their passwords.
Basically, the service allows you to create clues that will remind you of
your password.  Users can even use biographical information for a

For example, the system will ask you what city you were born in. If you
answer the question correctly, the service allows you to change your

How hard is it to figure out where someone was born, or the name of their
dog? In many cases, people might give this information out online in the
course of casual exchanges of information. In response to my recent
article on You've Got Mail, a woman described her experience being stalked
by a former acquaintance. She said he was a brilliant hacker because he
broke into her email account. 

When I asked her if her stalker could have gained enough information to
guess her password or access question, she indicated that it would have
been easy for him to know the answer to the question. 

My recommendation is that you think of an unusual and memorable answer for
a typical question. Let's say you chose the question "What city were you
born in?" Answer with the state as opposed to the city. Only you would
know to try this unique answering approach. 

Finally, when you send out email, try not to divulge private information.
If you use a signature file at the end of your email message, remember not
to include personal information.