Microsoft Tells Me a Password Isn’t Enough – What Do I Do?

Last night, my wife received a call from a relative who received a strange pop-up after logging into her Hotmail account. It was a notice from Microsoft stating, “A Password Isn’t Enough.” This notice requested additional information from her including: her phone number, an alternate email address, and other information.

My wife then brought the situation to my attention, asking if this was some sort of a phishing scam or if her account had been taken over by some malicious outsider. When we received the same message logging into the account from our end, the idea behind this popup became clear.

It was Microsoft’s strange way of asking for additional information in the event that an account becomes compromised. After all, asking for a password reset after gaining access to a single email account is an easy way to compromise someone’s email account. It happens all the time, and this is where additional verification information comes into play.

By adding a phone number, you are making it possible to have your phone added as a type of two-stage authentication for account changes such as password resets, removals, etc. That isn’t to say you have to have your phone with you log in, but unless an outsider has your phone, it’ll be difficult for them to prove that they’re you when making serious account changes (or you’ve reported the account as being compromised).

The short answer: No, your account has not been hacked just because Microsoft is asking for this information. It’s simply an extra security precaution that we can all hope Microsoft never has to use. You can refresh the page and log in just fine without volunteering this information, as well.

Known Issues

Microsoft has apparently done a poor job of wording this page, or warning customers that this action is necessary. Upon searching for the phrase, I found no immediately available resources from Microsoft explaining the popup or why it was suddenly activated on so many user’s accounts. Further to that, forums (including those hosted by Microsoft) are filled with complaints from users concerned that this is nothing more than a phishing scam.

There are some reports out there of non-US phone numbers being rejected or unable to validate. Argentina being one example of a region impacted by this issue.

Despite the wording stating that passwords are not enough, users can access the site just fine with only a password. This isn’t so much a bug as a point of clarification required on the part of Microsoft. If you want this pop-up to appear less suspicious, it’s better to word it in a way that doesn’t make that new information appear required for log in purposes. Put a reminder to fill that information out in an email to users, or make a popup within the mail application itself asking for that information in the event that something goes awry.

Have you received this pop-up? Did you enter any information in, or did you close it like so many others have?

Image: Microsoft

Article Written by

Ryan Matthew Pierson has worked as a broadcaster, writer, and producer for media outlets ranging from local radio stations to internationally syndicated programs. His experience includes every aspect of media production. He has over a decade of experience in terrestrial radio, Internet multimedia, and commercial video production.

  • Curtis Coburn

    I just check my Live account and no message popped up. But when I made the account, I gave Microsoft the needed information to make the account. They usually ask for a phone number, another Email address, and a security question.
    All of this information I do think it is important for Microsoft to have, just the case something does ever happen to your account, they know what information is right, and the best ways to contact you. If they do. It’s always a good thing when these big companies like this, do their best to ensure security.

    Google I believe does an excellent job at this. But that could be a whole other article.
    Good article.

  • http://www.facebook.com/Wwallender Dakota Wallender

    I think a good idea for emails, bank websites, etc. Would be to allow an option to login on with a username and password, once thats done the website will ask for a code that will be sent to your phone. 90% of people have a phone on them all the time. ive used this feature and it makes me feel safe!

  • http://twitter.com/creation4use Samuel Guillermo

    i dont know if two passwords is good for me its hard enough for me to remember one.

  • Liam Jackson

    I had all of this information asked when I made my hotmail account back in 2005(ish). So nothing is new here. Many companies do this all the time. I have Facebook and Google verify my logins via SMS, it is a completely safe system which I find efficient. I guess it is just finding the balance between privacy and features.

  • http://www.facebook.com/Michael.Basil.Albayya Michael Albayya

    its hard to pick a good password these days

  • kefir

    cool great job

  • http://twitter.com/RadSel8 Ahmed A

    I’ll just keep using my 10-character long password everywhere. Sorry, my brain can’t hold a lot of passwords.

    • Jesse Aranda

      Why not use Keepass, lastpass, or some other password tracker/generator? It keeps all your passwords safe and has a great password generator. I prefer Keepass because it’s open source.

  • timothy chan

    i personally use a music tune that is easy to remember for my router password. It’s simple and complex. I don’t want intruders messing with my network. DDOS attacks are ugly these days especially what they can do in the long run.

  • Neill Young

    I should probably bump up my passwords from 8 alphanumeric characters.

  • http://www.facebook.com/qwilleran.lake Qwilleran Lake

    Many sites over the past few months have been doing this. Most make it mandatory for you to add extra information, or to change your password to be more complicated. I’m GLaD that they have given the user a choice weather or not to use the extra security precautions. I myself like to keep it simple and only use a one step system, but just because its one step, dosent mean it can’t be a complicated one.

  • Jesse Aranda

    I trust my randomly generated,16 character password to keep me safe. Using keepass is my recommendation and practice.

  • http://ironiclee.blogspot.com/ Jentylee

    What a strange call for your wife to get, Ryan and then for both of you to get the same pop-up. It’s a case of good intentions, bad execution on Microsoft’s part. You were right in suggesting that MS should have put a heads-up and reminder e-mail if not just a highlighted part of the screen that goes away when the information is filled out. In this day and age, it is normal when getting stunned by such messages to be wary. We’ve been taught that and rightly so. I think MSs idea of having a phone number ready is wonderful; another security level and user service as you stated, once the email is compromised then it’s easy for the hacker to just ask for a password reset. However, they didn’t go about it the right way. Hopefully someone higher up at Microsoft will read your article.

  • http://bkgcom.blogspot.in/ Bharat Kumar Gupta

    Well i have started using 2 step verification log in for most of my accounts after reading loads of posts on security compromises. Hm even i observed this pop up window, i would agree too that wording is not right, they could tweak something here!

  • http://twitter.com/armanzokaei Arman

    I use a password generator that gave me a 15 character passwords that I have been using happily. I’ve also forgotten it once, but I just regenerate one and reset it.

  • Joshie305

    Uhmm i have not have this pop up but i think facebook also tells you this similar pop up for security reasons

  • Mohamed Hisham Hadjazi

    I use lastpass addon on all my devices i only have to remeber 1 password ˆˆ

  • http://www.facebook.com/ROBERTO1811 Roberto Van Gilder

    This also happens in YouTube, and I think that it’s quite useful, because people do, actually forget their passwords.!

  • Dinesh

    It’s not a user-friendly reminder in my opinion (by Microsoft). I have had similar reminders but in a better context (by Google and Facebook) for example. But, kudos to your wife for being extra cautious because not many users even question when they see something to be ‘phishing’. This cautiousness in my opinion; is important to be secure online.

  • http://www.facebook.com/profile.php?id=1270242944 Tom Easterbrook

    I know it is vital to have a strong password is important but having to give your phone number and other personal details is stupid. Look at how many company’s have been hacked and these details exploited.

  • http://www.facebook.com/tom.sharples.18 Tom Sharples

    I THINK IM GOING TO START CHANGING MY PASSWORD NOW

  • Ro Atkinson

    I did think it was an incredibly annoying message. It was at exactly a point when I was in a real hurry to get into my account and it came at exactly the moment that I had to change another password only a few seconds before. I didn’t think it was phishing though. Maybe because I was so irritated at the time.

  • http://jp-pc-tech.blogspot.com/ Pascal Fiedler

    Great to know that. Did I have to change my password if this is popping out?

  • louis percival

    I find choosing a password difficult I tend to use the same characters, which I know is bad.

  • http://www.facebook.com/profile.php?id=606163198 Christopher Micallef

    Passwords are awesome #$15amaawesome

  • http://www.facebook.com/steven.topich Steven Topich

    I get this message just about every time I log in to hotmail. It is annoying but if you just click save at the bottom of the page it takes you right to your inbox.

  • Trent Auld

    I really think password creation on some sites are overly complicated. I recently had to create a password using a number, an upper case letter, a lowercase letter and a symbol. Also it had to be 8-10 digits in length.