Passport flaws let anyone control passwords

By Brian Livingston

Weaknesses in Microsoft’s “single sign-in” Passport technology forced the Redmond company early this month to temporarily shut down the ability of Passport users to change their passwords.

One of the newly-discovered flaws permitted anyone to change an existing Passport account’s password at will. This gave the intruder the use of any credit-card numbers that had been entered by the original user.

The password change could be accomplished by simply visiting Microsoft’s Passport site,, and including a user’s e-mail address – such as – as a parameter in the address bar of the visitor’s browser. In response, the Passport site then sent a “change password” link by e-mail to any e-mail address that had been included as a second parameter. The incredibly simple exploit came to light when security researchers in Pakistan announced it on May 7. The following day, Microsoft disabled the password-change procedure, which had been added to Passport in September 2002. The company then released a bulletin on May 9 saying the problem had been corrected.

I’ve recommended against using Passport since I revealed in a Sept. 10, 2001, InfoWorld article (“Passport is cracked“) that technicians could easily capture passwords from any Passport account holder who used a Windows 9x or Me machine to connect to an ISP.

Numerous experts have found other serious weaknesses. For example, researchers at AT&T Labs warned in a 2000 publication that Passport’s redirection of browsers to Microsoft’s servers was not protected by SSL (Secure Sockets Layer), again leaving passwords open to inquisitive ISP employees.

This article is part of our premium content. Join Now.

Already a paid subscriber? Click here to login.

= Paid content

All Windows Secrets articles posted on 2003-05-22: