The hidden danger of Windows 8 Microsoft Accounts

Microsoft goes to great lengths to convince Windows 8 users to log on with an email address, but if your account gets hijacked you could find yourself locked out

If you've been using the Windows 8 Consumer Preview, no doubt you've toyed with the idea of using a Microsoft Account log-in -- most commonly a Hotmail or Windows Live email address. But have you stopped to consider what happens if your Hotmail account gets hijacked?

I'm not concerned about computers connected to the domain. I'm worried about the mobile folks, the ones who work off the grid. They face an interesting challenge in Windows 8.

Windows 8 stacks the deck, trying to convince people to log on with an email address. Microsoft has rebranded many old accounts -- Windows Live ID, Hotmail ID, Zune, and Xbox Live IDs -- into a shiny new "Microsoft Account." When you sign in to Windows 8 with your Microsoft Account, you can download apps from the Windows Store and get into your SkyDrive data with just a click. Microsoft also synchronizes many of your settings -- including legacy desktop and Metro appearances and other settings -- IE favorites and history, Web sign-ins, and so on.

If you log on to Windows 8 with a regular Local user ID and password, you're a second-class citizen. The Music app sniffs, "To get the most from this app, switch from your local account to a Microsoft account." You have to sign in to the Microsoft Store. SkyDrive asks for a sign-in -- photos, too. It's definitely to your advantage to set up a Microsoft Account and use your Hotmail or Live email address. (You can use any email address as a Microsoft Account, in fact, but the Windows 8 directions don't mention that option.)

Here's the problem.

I get complaints almost every day from people who have been locked out of their Hotmail accounts. Nine times out of 10 they've been careless with the password -- reusing their Hotmail password on other sites, for example, or typing it on a machine of dubious pedigree. Some scammer grabs the password, logs on to Hotmail, and commandeers the account. Within minutes, every address in the Hotmail contact list receives a message that says, "Help I've been mugged, send $500 via Western Union." Invariably the scammers change the password, so they can use the account while the owner's wondering why he or she can't get in.

I'm sure you can see the problem. Hotmail accounts are quite attractive to scammers. If you use a Hotmail ID for your Microsoft Account and your Hotmail account gets hijacked and the password changed, Windows 8 lets you log on to your PC, but when you do, you get the notice "You're signed in to this PC with your old password. Sign in again with your current password, or reset it." If you then try to reset your password, you can't -- clicking on the Reset link doesn't do anything.

I've encountered some problems that appear to be beta bugs -- the "Sign in again" notification comes and goes, for example -- and it isn't clear if there's a time limit on how long you can continue to use the old password. (I've let it run for 12 hours without being blocked.) But until you can provide the hijacker's password, you're locked out of all Microsoft Account access.

This story, "The hidden danger of Windows 8 Microsoft Accounts," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2012 IDG Communications, Inc.

InfoWorld Technology of the Year Awards 2023. Now open for entries!