Security experts have been stressing the inherent weaknesses of Web-based e-mail services after hackers exposed an easy way to access any of Hotmail's 40 million accounts.

"These services are going to be less secure than POP3 [Post Office Protocol 3] services where people download their e-mail on to their local PC," said Graham Cluley, senior technology consultant at UK-based data security firm, Sophos.

"The messages are then deleted from the servers, but with Web-based services they stay there.

"This incident has done enormous damage to Microsoft's reputation. People will remember this for years and they may think about going to proper POP3 services in future."

Web-based encryption gaining favour

Web-based e-mail services have proliferated with many portal sites offering free e-mail and UK Internet Service Providers (ISPs) beginning to offer e-mail, voicemail and faxes through Web browsers.

The Hotmail break-in could see users turning to Web e-mail scrambled with encryption techniques. Hushmail.com and Ziplip.com have been gaining in popularity with their promise of secure online e-mail services.

Hushmail offers strong 1024-bit encryption through a Java applet initiated when users access its Website to send e-mail. Ziplip does not require registration and allows visitors to its site to write messages and encrypt them on its servers protected with a password. It then notifies the recipient who can pick up the message only if they know the password. Both Ziplip and Hushmail are free.

Microsoft stresses usability

Microsoft has taken the brunt of criticism for security flaws exposed over the Internet, with its scripting, Windows operating system, Outlook e-mail program, Internet Explorer browser, instant messaging software and Hotmail all being targeted by hackers.

This is more than Microsoft being picked on because of its domination of the software industry. Much of the blame can be attributed to the company's concentration on usability.

Hotmail's attraction is that it can be used on any computer in the world connected to the Internet, meaning security cross-checks such as cookie files of personal information on the user's own computer cannot be utilised.