This thread is in response to a recent surge of XBox Live and Microsoft Hotmail accounts being stolen. It is not directly related to Halo 3, but it is certainly most pertinent to this forum and the concerns expressed here. This initial post is only a quick guide to some simple steps you can take to protect your account. Others have also added tips, so please be sure to read the whole thread. Please click the "Save Thread" button if you find the information useful -- that will help you return to it quickly if you need to refer to it later. Feel free to add your own tips and information! [b][u]Creation and Protection of a Secure Password[/b][/u] The password you create for your account is the first and most important step in protecting it. [b]Create a Unique, Complicated Password[/b] Take advantage of the tools that Microsoft gives you -- you can use any character on the keyboard in your password, and every letter is "case-sensitive" (in other words, if you use a capital letter when you create your password, you must enter that letter as a capital letter every time). This gives you a wide array of options. More good news is that even the hacking community is generally of the opinion that cracking a Microsoft Hotmail account through dictionary attacks or brute force attacks is impossible ([url=http://www.governmentsecurity.org/archive/t9331.html]Source 1[/url]; [url=http://www.pwcrack.com/howtohackaol.shtml]Source 2[/url]; [url=http://becomingparanoid.com/2006/03/07/how-to-get-a-hotmail-password-ix-bruteforce/]Source 3[/url]). All the same, it is extremely easy to make your password exponentially more secure, and it is thus a good idea to do so. First, a piece of advice that I will repeat throughout this post: Your Hotmail/Windows Live password should be different from [i]any other password[/i] that you use on any other website AT ALL. Next, [url=http://www.microsoft.com/protect/yourself/password/create.mspx]here is a good guide to creating a strong password[/url]. In essence, passwords should be at least 8 characters long, and more if you can remember it. Passwords should contain a variety of upper-case letters, lower-case letters, numbers, and punctuation/symbols. The best passwords are random jumbles of these various types of characters (example: g9@R5\8w). Make the password as many characters long as you can reasonably remember without having it written down. Which brings me to my next point. [b][u]Love Thy Neighbors -- But Don't Trust Them[/b][/u] Approximately 76% of identity thieves are people you know. ([url=http://www.co.crow-wing.mn.us/sheriff/investigations/general_investigations/identity_theft.html]source[/url]). Create a password that you can memorize without writing it down, and do not tell it to [i]anybody[/i]. Not your friend, not your girlfriend/boyfriend/husband/wife/significant other. Nobody. If your significant other starts whining that you don't trust her/him, tell them that you are working on matters of National Security and, by not telling her/him your password, you're protecting them from getting killed. Bottom line is, don't get pressured into giving up your information. [b]Secure Your Computer[/b] Make sure that your computer is password-protected itself and that you never leave it alone without engaging the password protection. An unsecured computer can have a keylogging program downloaded from the Internet and installed in under 5 minutes, and you'll never know (unless you're so paranoid that you check for keyloggers every time you sit down at the computer). A keylogging program [i]will[/i] track any passwords that you enter. So be sure to lock the computer whenever you step away! [b]Shared Computers[/b] I know that some of you share computers with family members, roommates, or friends; you should be extra careful in these instances to never allow Hotmail to "Remember My Password," never write down your password, and frequently check to ensure that nobody has installed spyware onto the computer. Be sure to log out of your Windows Live account whenever you step away from the computer. Remember that even if you trust the person you share a computer with, they might inadvertently pass on your information to someone else without even knowing it. In the end, you should regard your password as one of those secrets that you never tell [i]anybody[/i], [i]ever.[/i] [b][u]Phishing[/b][/u] Most stolen XBox Live and Hotmail accounts are the result of [url=http://en.wikipedia.org/wiki/Phishing]phishing[/url] -- "phishing" uses various methods of fraud to get you to willingly [i]tell[/i] a person your password so that they don't have to guess it on their own. Changing your password more frequently won't necessarily help prevent phishing (although it should be changed periodically). Instead, you should be aware of the methods that phishers use and the ways you can avoid them. [b]Pretexting[/b] "Pretexting" involves calling XBox Live Support and pretending to be the owner of a gamertag who forgot his password ([url=http://techreport.com/discussions.x/12081]source[/url]). Pretexting is illegal under a recently passed federal law ([url=http://www.channelregister.co.uk/2007/11/21/id_theft_bill_passes_senate/]source[/url]). It used to be that the famously dimwitted staffers who manned the phones at XBox Live support would gladly give out a user's password to pretty much anybody who possessed minimal information about the gamertag's owner. Xbox Live has tightened up its security ([url=http://www.newsfactor.com/news/Microsoft-Pins-Xbox-Hack-on-Pretexting/story.xhtml?story_id=12200DUGPKZE]source[/url]), and the people who man the phones can no longer even see what your password is, much less hand it out over the phone. All the same, you should go to some minimal lengths to protect your account. 1) Do not place your real name, especially your full name, in your Gamertag or your profile. 2) Do not place your gamertag on any website containing your real name! Especially MySpace or Facebook. 3) Do not place your city of residence or your address in your profile (including on Bungie.net); instead, place a broad Metropolitan area or general region of whatever country you live in. I can tell you for a fact that doing this protected me when phishers attempted to steal my XBox Live and Bungie.net account. 4) Your Microsoft Hotmail "secret question" and answer should be impossible to guess. A good trick is to choose make the answer a random sentence that has nothing to do with the question, or a blatant lie. For example, your mother's actual birthplace might be Chicago, Illinois -- make the answer to your secret question "Smoking is bad for you" or "Chatanooga, Tennessee." 5) [u]Never give out your credit card information to anybody[/u]! These simple procedures can spell a dead end for social engineers who attempt to swindle your account information out of XBL support staff. [b]False Microsoft Websites[/b] Since XBox Live tightened up its customer service procedures, this is the most popular method of stealing XBL accounts. People will post or email links to sites with descriptions like "Free Recon Armor through a Windows Live Promotion!" or "Free XBox Live points!" When you click the link, it takes you to a page that looks [u]exactly[/u] like the Windows Live Login page. You enter your email and password, thinking that you're logging into Windows Live, but in actuality, you've just entered your XBL information into a phisher's database. This can be easily prevented by checking the address bar before entering any information. People are far too quick to trust what they see in the browser window. If the first part of the URL of the site you are on does not say "login.live.com" or another bonafide Microsoft name like "microsoft.com," you are not on a genuine Microsoft site. [i]Don't enter your information.[/i] [u]Users who post links to phishing sites here on Bungie.net are instantly permabanned[/u] ([url=http://www.bungie.net/Forums/posts.aspx?postID=18397538]example[/url]), regardless of whether you created the website or just heard about it and passed on the link without checking it yourself. [b]Other Websites[/b] Frequently, users who are too lazy to remember multiple passwords use the same email address and password for many different accounts, including the same password that they use for XBL. Phishers take advantage of this by creating Halo-related websites and then trying to access your XBL account using the username/password information that you use to log in on [i]their[/i] website. This is also easily avoided. Your Hotmail password should be different from any password that you ever use on any other website at all -- including sites like Halocrusades.com or Bungie.org. (Note -- these are not phishing sites, they are perfectly legitimate and being used only as examples) [b]Internet Detectives[/b] "Internet Detectives" use search engines on your gamertag to try to find other sites where you reveal more information than you do on BNet or XBox Live. Run a Google search on your gamertag, BNet username, and your Windows Live ID/email address; see what pops up. Do you have a blog? A website? Another forum that you use? Your personal information could be on any one of these sites. Be [i]especially[/i] careful about posting your gamertag on social networking sites such as MySpace, Facebook, or Twitter. Run a check to make sure that Google does not return other sites' information that could be used to gain access to your account. [b][u]Conclusion[/b][/u] Using these techniques, you can effectively eliminate the possibility of your XBox Live account being stolen. If you have questions, or more tips to add, feel free to add them to this thread. Please click the "Save This Thread" button if you find the information helpful, so that you can refer to it later or check back for updates. [Edited on 07.15.2009 10:55 AM PDT]