Microsoft changes Live ID login system due to security concerns
Microsoft has quietly updated the Windows Live ID login system, which was most likely in response to a security concern that surfaced last week. The new procedure seeks to eliminate the risk of brute force attacks launching against Live ID logins, which could provide a method for hackers to gain unauthorized access to accounts.
Last week Jason Coutee, an IT consultant, exposed a brute force hack that could allow hackers to access Windows Live ID accounts and all linked materials such as Xbox Live account information. The security flaw allowed hackers unlimited attempts at guessing the password for a Windows Live ID. In addition, the error codes Microsoft used on their site allowed hackers to determine whether a Live ID was real before they tried to brute force the password.
Now it seems that Microsoft has altered their rules. Coutee wrote to Joystiq saying, “Before it would just let you try over and over. But now … they handle the sign in request on the server in a way that it will stop replying after about 20 attempts.”