If your Xbox Live account has been hacked chances are it’s because you used a weak password. According to this post xbox.com reveals if a hacker has found a legitimate email address by printing the following error:
The email address is or password is incorrect. Please try again.
After 8 attempts with a wrong password a CAPTCHA is shown but that can be easily circumvented.
Now, showing that error message makes the job of hacking accounts easier but if it wasn’t there you can be sure that login page would be (and is being) hit by dumb bots that stuff the login page with random emails and passwords. My blog gets hit by so many bots exploiting vulnerabilities for software that doesn’t even run on here that nothing surprises me any more about the intelligence of script kiddies.
It would be super if Microsoft used something like Steam Guard or at the very least put time limits on successive password checks but in the meantime what can you do?
- Use Lass Pass or another password service and pick a strong password. Use a pass phrase, “talking heads is a great band”, “i wish i had super powers”, “use your own imagination”. They’re all a lot better than “abcdefg1” and a lot easier to remember! Connect a keyboard to your Xbox to type a long phrase in or you’ll be discouraged.
- Limit the damage. Don’t add your credit card to Xbox Live. Sometimes you can buy an Xbox Live Gold subscription at half the price Micrsoft charges. Buy points cards if you want to buy stuff. Until recently it was hard to stop XBL auto renewing if you used a credit card.
- Go live in a hole in the hills and play marbles with the mice.
My XBL Gold subscription ran out a few days ago so I’m back to being a silver member. Not too fussed as almost everyone I play online with has a PS3 or PC too. I’m left wondering why I need an Xbox 360 any more! I will make doubly sure that I have a strong password on the account.
Thanks Gavin for linking to that article, even if we do disagree about what a security hole is. 🙂
Excellent update to what everyone else is posting, including me. Passwords are always the weak spot and as you know the majority of web users usually have a weak password or used it across different services/websites.
I’d recommend password managers like Password Safe or 1Password. Both are excellent for keeping track of your passwords and have built-in generators as well.
Off topic: I see a reference to Talking Heads, do you like them?
I like Talking Heads, but have never bought any of their albums, only what I’ve heard on the radio!
I grew up listening to them. Would have loved to seen them in concert.
Oh, judging by my own password I think xbox.com doesn’t allow spaces!
I’ve noticed that with a few other of the MS sites which is weird. Any of the MS guys I’ve dealt with always insisted on using spaces in passwords.