Why doesn't Yahoo/MSN/Hotmail lock accounts after bad password logins?

I’m sure lots of folks here have been getting spam from people they’ve emailed in the last few months because those users have had their accounts “hacked” (brute force entry with a dictionary would be more accurate) and the “hacker” sends the spam to everyone on the contact list.

Gmail temporarily locks an account after a few bad login attempts. The more login attempts, the longer the temporary lock gets. So I don’t think I’ve ever gotten a spam from a “hacked” Gmail account.

Why in Sam Hill do the above-referenced clowns permit essentially unlimited login attempts to an email account until the dictionary-based brute force attack is finally successful? Are they too concerned with the additional ad impressions they might receive? I’m wondering if the fact that those companies are struggling with their ability to make money off advertising is related to the utter lack of basic security features they’ve implemented to protect their “customers.”


I’m guessing they’re too cheap to pay a developer to implement your suggestion.

I’ve had hotmail lock my account when someone tried to access it. Then at a later date, when I forgot I changed the password, it locked me out. Admitedly the lockout is little more than a Captcha, but it will prevent most brute force attacks.

I just checked and Yahoo uses a pop-up captcha instead of locking to reduce the ease of brute-force. Not sure how you could slam that. And it keeps people from freaking out because they’ve been locked out. I’m sure the folks at Yahoo weighed the hackability of their system versus what their users complained about and this is what they came up with.

Why are you convinced that brute-force dictionary attempts are what is causing all of the webmail hacking?

What is happening is that hackers are getting ahold of user databases from other insecure sources (like bulletin board software) then taking user names and passwords and trying those in combination at Yahoo and Hotmail.

Getting those databases is easy for the hackers and trying combinations quickly and once avoids the use of the captcha (at least on Yahoo).

Doing a dictionary attack on some random schmo’s Yahoo account sounds like an awful waste of power. Having a list of user names and passwords is way more efficient.

Ignorance fought. Thanks guys