(NOTE: This article was written December 7, 2016. Not one word has been changed since that date. To understand why it can only now be published, read the article on this site called 107 Days: A Microsoft Security Nightmare. -MDG)
For reasons that will become obvious, I am going to delay posting this article until the issue has been resolved.
A few days ago a colleague of mine discovered the password to my Microsoft Account. I won’t go into the how and why… I knew that my password had been compromised and I took the immediate steps to change it.
Ok, I understand that things break… I tried a few times, and then I decided to follow the advice and try later. I trust my colleague not to actually use my password, so even though I felt uncomfortable with it being compromised, I knew I could wait a couple of hours.
Throughout the evening I tried (unsuccessfully) to change my password. As I was sitting with my father having dinner, as I had drinks and cigars with my friends… no joy, I still got the same message. ‘There’s a temporary problem with the service. Please try again. If you continue to get this message, try again later.’
I want to be clear… if my network had an error that was preventing users from changing their passwords I would consider it reasonably important, and I would take immediate steps to fix it. But having trusted Microsoft for so many years, I assumed this would be fixed eventually.
Four Days Passed.
Yes, it was literally four days before I decided that my passivity would not eventually lead to a solution. I sat down and figured out how to request support. I was hoping to be able to speak with a human being. Before I could, however, the Virtual Support Assistant got me to try this link and that link. It then made me go through seventeen steps to finally confirm that the account in question was mine… and once it confirmed that I really am me, it tried to reset my password… and I ended up with the same error message that ‘There’s a temporary problem with the service. Please try again. If you continue to get this message, try again later.’
Okay, it’s been nearly an hour… and I am chatting with someone who is quite obviously not their first round draft pick. After all, I asked for help with Outlook.com, not with something that people actually pay for. I spent twenty minutes explaining to him the situation, and the added (and I assume rare) complication that I have two accounts with the same address… my Office 365 account and my Microsoft Account are both the same address that are completely different. ‘Please don’t touch my Office 365 Account, I only want to change my Microsoft Account.’ This led to another five minute discussion on the meaning of the word change.
He had me fill out another form on-line. I did. At the end of that form I got a message that said that the product team would contact me within 24-48 hours to help me. I told the Support Agent that I had filled out the form. He told me that now I had to wait until they contacted me.
All in all, my Microsoft Account (which is the account I use for my MCT & MCP Benefits, Skype, and myriad other features) will have been compromised for the better part of a week… and there was nothing I could do about it. Yes, I could have contacted Answer Desk a few days earlier, so it would have been compromised for only three days. I want to know in what world is that considered an acceptable delay to be able to change a compromised password?
Some time ago I started using Multi-Factor Authentication (MFA) for many of my most important systems, which is why I am never concerned that my blog or my password vault could be compromised. For various systems I have a hard key (Yubikey) and soft keys (Google Authenticator and Microsoft Authenticator) which keep most of what I do safe. But most of the Microsoft systems do not support MFA and I am stuck with only a password. I use reasonably complex passwords so I usually am not concerned, but in a case where my password is compromised and I am not able to change it, I wonder how it is that a company as advanced as Microsoft (in this case) does not allow me to use MFA. I would love to be able to require my Yubikey in order to log in to Windows and many of the on-line systems I use, but it is simply not an option.
I am disappointed by Microsoft this week… and I hope that they take the lessons learned from this experience to improve. However I sit here today, thinking of the myriad occasions I stood on stage in over a dozen countries on five continents and defended Microsoft’s security systems as among the best in the world; I was always sure in my knowledge that I spoke the truth. Today I would not feel comfortable making that claim… and my faith in their systems, like shattered glass, will not be easily fixed.