Microsoft Passport DOS (denial-of-service) attack

[TeleMad]

For those not familiar with Passport, it is basically an attempt by Microsoft to increase it's ability to rule the world :-) They want everyone to store their login credentials there, then have all e-commerce, banks, and other sites transparently make authentication calls to the centralized Passport database to validate your identity (instead of the site itself maintaining your password and validating against it). MS also wants everyone to store their credit card information, and other vital personal details with them: MS wants all of our eggs put into their one basket.

Yesterday I tried to post at a web site where my credentials were stored in MS Passport and couldn’t. Why? An error message appeared stating that too many failed attempts had been made to login with the wrong password for my e-mail account, so my account was being temporarily locked. From a security standpoint, that’s the thing to do…you don’t want people being able to submit password after password against your account until they succeed. The problem is that while the locking of the account did prevent the attacker from logging in, it also prevented me from being able to log in. So I couldn’t post at that site yesterday. When someone does something malicious and thereby prevents you from able to access resources you should be able to, that’s a denial of service attack. And with Passport it is apparently quite simple to launch: just get a legitimate e-mail address (what Passport accounts are based on) and the submit some passwords. You don’t have to worry about guessing the correct password, just the act of you guessing locks the person out of their account.

Now, after a dozen attempts at various times in the morning yesterday, I finally give up. This morning, after at least 17 hours of no login attempts, I tried again. Still locked out. Wow, what a long TEMPORARY locking of my account. So far that makes a 2-day DOS. And I have no idea how long this will continue.

Big deal, you might say, I couldn’t post at one site. But, what if MS had their way and all of my personal information was stored on their servers, and e-commerce, banks, and other sites required Passport authentication? Then for 2 days - so far - I would have been unable to do anything on line…no banking, no shopping, no paying of bills, no posting at sites…nothing.

Worse, this is the SECOND time in about 4 months that my account has been temporarily locked because someone has made of too many wrong passwords attempts against my account.

[Tormod]

I hear ya. I used Microsoft's Small Biz services a few years back and they spent about 6 months fixing access from Windows XP users...AFTER XP was launched. Every time I contacted them via their website, I got to talk to what was obviously a chatterbot with standard replies. It tricked me for a while, until I got suspicious of the parroty responses. So when I started asking if I were writing with a robot it just asked me to please state my problem clearly (after 15 minutes of stating my problem in various ways).

I use passport for forums and MSN...I never give up any credentials other than name and e-mail. I wonder how they can expect people to trust them when they screw up like they did in your case.

[TeleMad]

"You have made too many unsuccessful sign-in attempts with an incorrect password ..."

3 days and counting...

[TeleMad]

I was able to get in the day after I posted my above message.

Now, I just tried to log into that other site again...first time in 4 days...and once again found my Passport account was locked because of too many recent attempts to log in with invalid passwords. Once again I've been denied access to resources I should have access to....denial of service.

Booooooooooo M$!

[Tormod]

If it's any comfort I cancelled my sub for Micro$oft's small biz service about 2 years ago and I can still log in and unse the services...which is strange. Because that means I actually get something for nothing from M$. Is that a record or something?