Sign in solution is available
Redmond, July 18, 2004, 22:00 PDT
I'm sorry that this post is so late, and I know that folks are frustrated with the
lack of communication. We have been on the verge of good news all afternoon (and
evening), and it is here.
I'm happy to announce that we have published a solution to the sign-in problem.
Users that have been unable to use the passwords or work with their files offline
should follow the directions at: http://sync.money.msn.com/help/pss/w1.asp
I know that there are additional questions, which I have answered below.
Q1: What happened with our passwords?
A1: On Monday, one of our servers was updated and inadvertently
pointed to the wrong location to verify authentication. The authentication process
worked perfectly - we caused the problem by looking in the wrong server location.
This mistake only affected Money services. (If you think of your login information
as a key, and our servers as a lock, then we changed the lock on the safe, and the
old key wouldn't work anymore. There is no way for the user [or anybody else] to
create working login information. The good news is that nobody could open the local
file because of this mistake at any time; your information is still protected.)
We corrected the "wrong server location" problem Tuesday morning, and users who
did not login between late Monday afternoon and Tuesday morning should be able to
use their files normally.
Those who were affected may continue to be affected, however, since Money downloaded
some of the garbled information from our servers. (Basically, we made a copy of
the lock on your local file. Why did we do this? Because when you change the lock
yourself, you don't want the old key to continue working on your local file. You
also wouldn't want there to be an easy way for somebody on your machine to ignore
the change in the locks. Of course, we will look at this scenario to see if we could
solve it without decreasing security in the future.)
This situation has not caused any violation of our users' privacy, and our online
services have continued to be available.
Q2: How does the fix work?
A2: We have carefully recreated the incorrect environment of
Monday evening and a Web page to access it. The web page will allow affected users
to login with their current information and recover the lock information that has
locked them out. This will allow them to unlock their file. It is important to note
that users who changed their password should use their new password, and that no
user will be able to access the lock information for another user.
Again, this solution does not violate our users' privacy. We are using your login
information to restore the lock to your unique key.
Users who have been unable to access their local files should open a web browser
to http://sync.money.msn.com/help/pss/w1.asp and follow the directions on that page.
Q3: Why did it take so long?
A3: We have addressed the problem in stages. Our first efforts
were to restore the correct configuration of our servers, while preserving the state
they were in for investigation.
Then, we started a careful investigation of the impact on users. Naturally, we are
very careful when dealing with users' login information and follow strict procedures
to protect their privacy.
We have identified three different states that users' files can be in, and we worked
on fixes for all of them. We realize that it was important that the fix be thorough.
At all times we were working as directly and hard as possible at getting a solution
out to the affected users as soon as possible.
Q4: What if I still can't access my file?
A4: You should send email to firstname.lastname@example.org .
Q5: Was this Passport's fault?
A5: No. Passport was working correctly, and always did work
for access to our online services, such as MSN Bill Pay. The issue relates
to Money's server interactions with local Money files.
Q6: Why does Money use Passport for the local file?
A6: We use Passport for a number of web services at Microsoft,
including financial web services that we offer through Microsoft Money. Since the
local file can access these services, the file needs to be protected as well. For
ease of use, we use the same system, Passport, to protect access to the local file.
Users that do not use the web services do not have to use Passport for the local
Note: The email and web addresses above are no longer valid
Back to Russ' Responses Article List