http://www.blogcdn.com/www.joystiq.com/media/2012/01/xboxlivehackanalog.jpg (http://www.joystiq.com/2012/01/13/windows-live-login-suggested-as-xbox-live-security-flaw/)
Since reporting on the "FIFA hack (http://www.joystiq.com/2012/01/09/xbox-hacking-victim-tells-her-story-fights-for-others/)" and related security concerns (http://www.joystiq.com/2012/01/04/xbox-live-fifa-hack-concerns-continue-to-escalate-microsoft-s/) with Xbox Live and the Windows Live ID system, we've received stories, documentation and theories on how this is happening from dozens of victims. As we continue to follow up on several leads, Analoghype (http://www.analoghype.com/video-games/xbox-360-video-games/xbox-live-vulneribility-exposed-microsoft-ignored-the-truth/) posits an interesting theory on how some of these breaches may be occurring.

AH suspects that the hackers grab gamertags from a game of Halo or Call of Duty, then Google the tags to find associated emails on social networking sites. They now have a potential list of Windows Live IDs. Going to Xbox.com, the hacker can now test if the email is a valid ID by attempting to sign in. An error message of "account is invalid" has them moving on to another email; "password is incorrect" means they've got a real account, but a bad password.Continue reading Windows Live login suggested as Xbox Live security flaw (http://www.joystiq.com/2012/01/13/windows-live-login-suggested-as-xbox-live-security-flaw/)
http://www.blogsmithmedia.com/www.joystiq.com/media/feedlogo.gif (http://www.joystiq.com)Windows Live login suggested as Xbox Live security flaw (http://www.joystiq.com/2012/01/13/windows-live-login-suggested-as-xbox-live-security-flaw/) originally appeared on Joystiq (http://www.joystiq.com) on Fri, 13 Jan 2012 11:50:00 EST. Please see our terms for use of feeds (http://www.weblogsinc.com/feed-terms/).

Permalink (http://www.joystiq.com/2012/01/13/windows-live-login-suggested-as-xbox-live-security-flaw/) | Email this (http://www.joystiq.com/forward/20148319/) | Comments (http://www.joystiq.com/2012/01/13/windows-live-login-suggested-as-xbox-live-security-flaw/#comments)

More... (http://www.joystiq.com/2012/01/13/windows-live-login-suggested-as-xbox-live-security-flaw/)

This is just another reminder that all important passwords should be long, random, and never recycled.

Also, secret questions are bullshit.

I don't buy it, i don't think the passwords are being brute forced. Even the dumbest sysadmin would notice 20,000 incorrect password attempts per login.

It's *far* more likely that the passwords were obtained through security breaches on other websites, like the 1,250,000 email address/password combinations that gawker leaked in 2010. Even this website's security is questionable, who knows if someone's already grabbed a dump of the database and "decrypted" the passwords offline.

There are plenty of places on the web where you can insert an email address, and it'll tell you the passwords they've used on compromised websites. Password reuse is deadly, but it's impossible to remember a new password for everything you log into.

As was mentioned above:
http://imgs.xkcd.com/comics/password_strength.png

Windows live locks you out after so many attempts... I forgot my password one time and was able to make it worse by guessing until I got locked out...

I don't buy it, i don't think the passwords are being brute forced. Even the dumbest sysadmin would notice 20,000 incorrect password attempts per login.

It's *far* more likely that the passwords were obtained through security breaches on other websites, like the 1,250,000 email address/password combinations that gawker leaked in 2010. Even this website's security is questionable, who knows if someone's already grabbed a dump of the database and "decrypted" the passwords offline.

There are plenty of places on the web where you can insert an email address, and it'll tell you the passwords they've used on compromised websites. Password reuse is deadly, but it's impossible to remember a new password for everything you log into.

As was mentioned above:
http://imgs.xkcd.com/comics/password_strength.png

I hate that comic because it seems to me like it's using the wrong calculations. Why is it using 2^28? Shouldn't it be (as many characters that can be used on a password)^28? I mean, taking into account that most sites allow uppercase letters, lowercase letters and numbers, that would be 26 (A-Z) + 26 (a-z) + 10 (0-9), so shouldn't it use 62^28 instead?

Windows calculator says that number is 1.538038851104056746784345972931e+50. Divide that by 86400000 (1000 attempts per second x 60 seconds x 60 minutes x 24 hours) and you get 1.7801375591482138272966967279294e+42 days. Which is around 4.8770892031457913076621828162449e+39 years.

And the bottom one using the four random words is isn't really that more secure because it's using WORDS. That can be cracked using dictionary attacks. Wikipedia says the Oxford English Dictionary has around 250,000 words, and we have four words, so 250,000^4 = 3906250000000000000000. Divide that by the 86400000 attempts per day, then divide that by 365 per year, and you get 123866374936.58041603247082699137 years. Which, again, is still a lot of time.

I dunno. this just doesn't sit well with me.

Edit: And no, I'm not a math wizard, in fact I have a lot of problems with math. BUT the way the strip is written doesn't seem right to me. I could be wrong, and I probably am.