Slashdot Mirror
Hotmail No Longer Accepts Long Passwords, Shortens Them For You
An anonymous reader writes "Microsoft doesn't like long passwords. In fact, the software giant not only won't let you use a really long one in Hotmail, but the company recently started prompting users to only enter the first 16 characters of their password. Let me rephrase that: if you have a password that has more than 16 characters, it will no longer work. Microsoft is making your life easier! You no longer have to input your whole password! Just put in the first 16 characters!" At least they warn you; I've run into some sites over the years that silently drop characters after an arbitrary limit.
That's enough for hotmail !!
12 letters, no special characters my ass.
No, you may not know which bank I use.
Somebody hasn't read the relevant xkcd.
greed@All_Evils:~#
Along time ago I had a 10 character password that ended with some numbers for an AOL account. I fumbled the numbers at the end of the password once, aware of such, but hit login anyway and it still let me in. I tested and confirmed it not to care what numbers were at the end of the password. Later it was revealed that AOL was just making a Hash of the first 8 characters of the users password, so it really didn't matter what you entered past the 8th char because it would be trimmed before computing the hash....
Umm, TFA says that Hotmail has never accepted passwords longer than 16 characters - it used to silently truncate them. The only thing that's changed is that Hotmail is now letting you know that it's truncating the password.
Well, in the Bad Old Days, Unix passwords could only be 8 characters, later extended to 16. Less concerned with the original scheme, more with the fact that Microsoft may be using password algorithms from the 1980s.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
RTFA and you learn that they've only been storing the first 16 characters for years, letting you type away in vain. Otherwise they'd have to produce new hashes for the "shorter" passwords that they expect users to use now. (There's no such thing as reading the first 16 digits of a hashed password).
Whenever I see any website that rejects passwords longer than X characters, I turn away and go somewhere else. My smallest password those days is 20 characters with numbers and special characters. I expect pretty much any decent website to accept those.
They're there in their room. You're on your own.
hunte
Presumably someone from the NSA or IRS wants to know...
Hmm... Why wouldn't they just store a 16 char hash of whatever password you want?
Usually you only see this when someone is doing something wrong from a security standpoint.
Who in their right mind would trust anything sensitive enough to require a 16 character password to Hotmail?
Any insufficiently advanced magic is indistinguishable from technology.
Security -- the microsoft fail of all life
I though you where supposed to enforce longer passwords instead
The math is clear, if a 8 character alphanumeric password takes a second to break then a 20 char password takes about 15.000.000.000.000 years to crack or 110 times the age of the universe.
- "There is nothing quite like an ineffective solution to an nonexistant problem"
If you're protecting against Sky-Net SAC-NORAD missile launches I can see it, otherwise it's overkill.
Unfortunately you need a lot more when people listen to the terrible advice given out by terrible comics and start using passphrases consisting entirely of dictionary words. "incorrect equine cell affixer" becomes "incorrect equine" when truncated to 16 characters.
As fun as it is to bash Microsoft, they're not the only ones who do this. Presumably there is some technical reason why this is done, but I am at a loss for what this would be. Would someone be able to explain to me the reason why such limits are put in place?
It seems with modern computer capability that absurdly long passwords would be trivial. The hashed password length would be the same irrelevant, so I can't see storage space as the issue. The only other idea which comes to my mind is the computational difficulty of hashing the passwords, but even that has to be trivial by today's standards, even with millions of users hitting the servers. Why not go overboard and just allow several kilobytes worth of password?
"A witty saying proves nothing." - Voltaire
Quit using Hotmail. Problem solved.
Some very major sites are even more egregious -- take for example American Express, which limits passwords to 8 letters and numbers only, no special characters allowed. Even a decade ago that's like calling for a bodyguard and being sent an 8-year-old boy with a slingshot. Every month I think about closing that account for that reason alone.
Does this mean they were storing the passwords in cleartext? In a real system they would simply be storing the hashes, shortening the password would cause it to create a different hash and not match.
I'm a good cook. I'm a fantastic eater. - Steven Brust
This allows your password to be revealed with minimal computing time. Sounds more like it is to assist law enforcement, than end users. Anyone choosing a password over 16 characters, obviously didn't want the help in the first place.
A banking website I used silently dropped special characters, perhaps to prevent injection attacks on their form. Reduced you to letter and numbers only.
So... it means Microsoft is not hashing passwords at all, because hashed passwords cannot be truncated (well, at least not without the user entering them the FULL password after the truncation system has been put in place)
Wow...
I think this has been the case for many months, if not years. I don't think I'm mistaken, but I may be. I think if you entered a long password, only the first 16 characters were necessary to log into your account. Please correct me if I'm wrong.
As opposed to the sign-up page at Phil's Hobby Shop, which pretty much advertises that it's 936-compliant.
Slashdot has a password length limit, iirc its 20. The input field for setting a password has a max length of 20 however the login field doesn't. So when i last changed my password i was confused for a short while till i realised that i hadn't read the password guidelines. To be honest i find that ~50% of websites that i try to use long passwords on are limited to around 20.
Huh. Filter error: That's an awful long string of letters there. So spaces added.
Things one might never tire of hearing:
Ohmyitssolarge!
Itwasthebestoftimes Itwastheworstoftimes
Franklymydear Idontgiveadamn
Youplayeditforher youcanplayitforme
OnthewholeIwould ratherbeinPhiladelphia
Also, some obligatory links for your benefit:
http://xkcd.com/936/
http://xkcd.com/792/
TD Bank, my current bank, has the following password requirements:
6-32 characters, no spaces, alphanumeric + the following symbols only: [list of characters removed because /. thought it was spam; it was a fairly short list, though. Didn't even include an asterisk]
Additionally, back when I signed up for online banking with them, I filled in a bunch of garbage for the security questions because security questions are just an attack vector, and I don't forget my passwords (I highly recommend KeePass for managing passwords, it's amazing).
Anyways, a few years ago I went to log in and was prompted to answer a security question. Wtf? I had to call customer service to get my security questions reset. Now, if they don't recognize the device, or every so often, in addition to password you need to answer a security question.
This means that I'm forced to either give real answers that I'll remember (and that anyone else could figure out to hijack my account), bogus answers that I can try to memorize, or garbage that I write down and hang onto.
I also recall, around 10 years ago, I was using Bank of America and they had a limit of either 12 or 16 characters on your passwords.
Of course, my email, web hosting, and even my fucking World of Warcraft use actual two-factor authentication, with phone apps that generate codes that are only good for around 30 seconds, and outside of a man-in-the-middle attack they're practically bulletproof. Why the fuck can't my online banking be as secure as them?
Seriously who THE FUCK cares?
Uh, the guy who wants to crack your password.
Don't give a shit what color hat he has on, this dumbass move is making his life a lot easier regardless.
Even if you as an attacker know that the user chose 2 arbitrary words out of the English language as their password (or that only two mattered), and you knew there was a space between them, and you knew the login was case-insensitive, you still have to deal with the (minimum) 29,403,847,100 possible password phrases (171,476 common-use words times 171,475 unique second words, if we ignore word duplication and obsolete words). This also assumes, of course, that the password used correct spelling and did not in any way try to obfuscate the words with replacement schemes like l33t speak.
Tell me again why it is terrible advice to use phrases?
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
In cases where there's no physical access to the data, how does one get 1000 guesses per second? If my bank is going to lock my account after three incorrect guesses and if I keep a reasonable spread of account names and passwords, what's the actual risk of a 'weak' password actually being compromised? If I use a repeated account name and password on Facebook, what's the drama of someone guessing passwords at 50 per second?
At least you don't need to use your real name.
For a shorter 16-char version of your password to work, this means Microsoft has most likely not been hashing your passwords, but storing them in clear-text. So that any length of your password string is identifiable...
Here's your chance, hack hotmail, and get a treasure chest of emails and passwords, and subsequent Bank password reset opportunities....
My password is thus: SHA1 HMAC( PW, domain + salt ) -- Output as Base64 (where + is concatenation). I use this method because I can recreate the password at any time from anywhere. I don't rely on anyone else's password systems, I just use this simple algorithm which I can implement on any machine with the simple cryptographic primitives (hashed message authentication code, and a hash). I get a different password for each site, while using the same password everywhere. I change the salt and/or main password every so often, and only have to remember the current and last PW as I migrate to the new password as I run into sites I use.
At first I created a table within the bookmarklette that would allow me to set additional rules for passwords, limit length, use a different set of characters for the base64 output -- The hash would be filtered on a per site basis to comply with all the bullshit. I could deal with such shortcomings five or ten years ago, but not today. Synchronizing the booklmarklette defeats the purpose of using a simple algorithm. If a site won't accept something like: NzE1YWViMGQwMjU3NWRlNmI3ZDQ0NTQ0NzI4MjE3MGU5YzRlMWY3NiAgLQo= as a password then I just don't use the service.
I'll never use any Microsoft products, so I'll have to rely on others to discover: I imagine MS would simply ignore characters beyond the new limit? If not it would surely break password entry systems like my own or even saved password mechanic in all browsers... Including IE. It wouldn't surprise me if MS did break password entry for long saved passwords -- Smart folks who are security aware aren't their target audience.
So I won't have to change from "Suck it, Trebek!"
They might have been only be passing the first 16 characters into the hash all along.
I swear to God...I swear to God! That is NOT how you treat your human!
This is the sort of MBA spreadsheet thinking that kills companies. I suspect that someone did an audit that showed the passwords taking up all this "Valuable" space or some other bizarre analysis. The tiny savings from having the shorter passwords will instantly be nullified the first major hack that comes along.
So MS is faced with one of three expensive situations:
They weren't hashing but storing my pass in some open or reversible format which when hacked will create a mega PR / liability problem or,
They are hashing and the truncated passwords won't work and they are going to blow off any customers who had long passwords which will tend to be the more technologically savvy who, as a group, are a bad idea to piss off as they are the types recommending technology to the masses. MS does not need to lose even more of the techno aware. or,
They are hashing which means a truncated pass won't work and they will then have tech support hand out access willy nilly resulting in the easiest social phishing in the history of the net. "I would like you to set the password for the account bgates@hotmail.com to 12345678. Your name sir? Billy Gates you fool, now hurry. Thank you sir your password has been reset to 12345678. I would like to spend 5 minutes asking you about your purchase plans for our new $10,000 tablet..."
I'm sure most hotmail users are more worried about the minimum character limit rather than the maximum.
"My password can't be 'poop' anymore. How will I ever remember it?"
In this age of ubiquitous spyware and key loggers passwords are pointless. Two factor security or don't trust anything important to a system.
My passwords for things are simple, but I only trust important data to to factor. I just assume anything only password protected is compromised.
Since I can't tell them apart, I treat all ACs as the same person.
My new hotmail password must be "correct horse ba".
Could someone explain how this would be even possible to pull off in the first place unless our passwords were stored in plaintext?
Last time I checked, you couldn't truncate a password like this after it's already been hashed.
Microsoft, shame on you.
In which case typing the full password would still work.
Your email account in 1998 is now more vulnerable!
Here's your chance, hack hotmail, and get a treasure chest of emails and passwords, and subsequent Bank password reset opportunities...
Thanks, but the real opportunity was back in 1999 when they limited your password to two characters. Now those were some good times!
Such a low ID, yet such lack of understanding. Mighty impressive.
Do yourself a favor, don't comment on anything security related anymore.
A website chooses not to store an infinite length password of yours, and that makes headline news on slashdot? seriously, that's a problem? Guys, it's free third-party e-mail. It's not your safe-deposit box.
Oh, and by the way, you can make the key to your safe-deposit box as long as you want, the lock will still only accept the first inch of it. Your girlfriend also won't accept more than 16 inches, by the way. Sometimes things are larger than capacity will allow.
Not to mention, we all know exactly why they won't take more than 16 characters. Any bets your password's simply hashed into a 16 byte string anyway? Congrats, on your 17 character password being converted into 16 anyway.
But hey, car doors and house doors with entry codes have 5 buttons each doubly-labelled. So 1 & 2 are on the same button. Making 11, 12, 21, and 22 the same double-press of the same button.
Complain harder. Maybe then things like this might matter. Right now they make absolutely no difference whatsoever.
MOST older people or just forgettful people will substitute a real sound "èò_bfR43" type of password with much longer but equally sound "IndianEtherodyneForest33LakehurstManor" which would just be a switch from a MACHINE sound uppercase, symbol etc password to a password a actual human is capable of associating with events or places he's sure not to forget... remeber we ARE made out of flesh after all.
Seems to me the usual pig headed faceless bureaucrat sort of decision made ba a techie with out ANY regads to human "haptics"...
Even if you as an attacker know that the user chose 2 arbitrary words out of the English language as their password (or that only two mattered), and you knew there was a space between them, and you knew the login was case-insensitive, you still have to deal with the (minimum) 29,403,847,100 possible password phrases (171,476 common-use words times 171,475 unique second words, if we ignore word duplication and obsolete words). This also assumes, of course, that the password used correct spelling and did not in any way try to obfuscate the words with replacement schemes like l33t speak.
Tell me again why it is terrible advice to use phrases?
And at 100 billion guesses a second, using multiple GPU cards in a custom setup, you can test all those password in about 0.3 seconds.
Or, hotmail will delete your account if you dont log in for 360 days. Another option would be to re-hash the password as the user successfully logs in, and store two hashes. You would only need to do this for a maximum of a year, because after a year either everyone has logged in (and thus created the second hash) or their account has been deleted by the cleanup robot.
0123456789ABCDEF
This is, well, stupid. I don't even know my own passwords. I have so many of them and they are so long with so many special characters that it would be impossible to keep up. I keep them in KeePass and just copy/paste them in the text box (it deletes the clipboard). Why place such a restriction on passwords when it is more important now then ever?
And at 100 billion guesses a second, using multiple GPU cards in a custom setup, you can test all those password in about 0.3 seconds.
It's remarkable when anyone has 100Mbps network to the world, you've got a large multiple of 100 Gbps, and the server actually responds with "invalid password" pages that fast?
I do. I have been complaining about this for a long time. I am one of the few people that chooses to use a password longer than 16 characters. The reason I do it is also Microsoft's fault. Back in the day, passwords 14 characters and shorter were victims of LM hash attacks. Does anyone remember that?
Windows passwords 14 characters or shorter where hashed. But for some reason, MS decided to hash the first 7 characters, then the next 7 characters. So you effectively had 2 passwords of 7 characters. These LM hashes were still in use in Windows XP.
Sites cannot just shorten passwords, as they do not know our passwords, only their hash.
They may have started telling people about this, it it has always been this way (at least for the last decade). Like 7+ years ago I had long password on Hotmail (16+), I eventually learned that both the signup and login password field just allowed 16 characters so I was just typing extra characters for no reason.
Troll is not a replacement for I disagree.
29,403,847,100 possible words
2 random words used for simple passphrase
29,403,847,100^2 = 864,586,224,280,178,410,000 combinations
You must live in a fun world where 8.64E20/1E11 equals 0.3
if (password.length() < 16)
rejectPassword();
else
hashAndStore(password);
Giving MS the benefit of the doubt and assuming that they are hashing the passwords in their database at all, I have to wonder if this might mean that there is some kind of weird legacy algorithm at work here. After all, Hotmail is an old Microsoft service, dating from the time period (roughly 1995-2005) when Microsoft was totally allergic to anything resembling industry standards. Perhaps they are using an old NTLM-style hash that only takes inputs up to 16 characters, because they never got around to updating the back end.
...what would be the benefit of restricting password length? It's not like you need to save storage space or anything. Why shouldn't Hotmail allow longer passwords, why is it important to them from a technical point of view to enforce a 16 char restriction?
This is an attack once you have the password hashes, not a front door attack. That's why rainbow tables were mooted.
See parent (or grandparent or something).
http://it.slashdot.org/comments.pl?sid=3135655&cid=41417323
http://lkml.org/lkml/2005/8/20/95
That problem sounds familiar.
So much for THAT strategy: http://xkcd.com/936/
The real question is how were they able to truncate your password if they used a hash?
Somebody who understands the consequences of this, please mod it up!
"Trump!!", the new Godwin.
but create an account at redhat.com and you're limited to 18 characters.
I dug through the recesses of my brain to remember a password that short and the JavaScript validation had the nerve to call it "Strong". (And the JS only worked on keyboard events.)
Red Hat should know better.
Actually it's not that hard to "outsmart" brute-forcing - two simplistic ways are to insert a verification delay (artificial or computational depending on the situation) so that brute force attempts will generally takes months or years to succeed, or just block any attacker that makes multiple attempt faster than a human could reasonably be expected to. Even a really lax limit like blocking an attacking IP for a day after five failed attempts in a minute will block upwards of 90% of brute-force attempts and probably won't effect legitimate users at all.
Think of it as somewhat analogous to being the doorman at a speakeasy or illegal gamblng joint - you know, the guy in the movies that spends all night opening the tiny window and saying "Password?". It not exactly hard for him to tell when someone is just repeatedly knocking on the door and guessing wildly and politely ask him to leave while they still only have a few broken ribs.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
I suppose that code could be somewhere in the Hotmail source code, but is it likely that they would put a completely arbitrary condition like that in there?
We understand what he means, but if you did not read the update here you go
This doesn’t mean that your password has been shortened. Actually, Windows Live ID passwords were always limited to 16 characters—any additional password characters were ignored by the sign-in process. When we changed “Windows Live ID” to “Microsoft account,” we also updated the sign-in page to let you know that only the first 16 characters of your password are necessary. To avoid this error message in the future, you only need to enter the first 16 characters of your password.
Amusing idea but not how it works. You can migrate people to new hashes easily and that is what they did. Simply look up in a new table and if there is no hash you use the old hash and if it works then you hash the password into the new table. Eventually everybody who uses the service is migrated. Unless they used an idiotic system they couldn't possibly get user passwords but they always get them as input to generate the hash.
Democracy Now! - uncensored, anti-establishment news
What ever will we do with only 95 bits of entropy between our chain letters of cats and the international spy agencies wanting access to our email?
If the server or isp supports ip6, the attacker just needs a home that can use 100000000000 IP addresses, and on ip6 is easy.
Liberty freedom are no1, not dicks in suits.
My bet is their customer base are people that prefer shitty passwords. Eventually they will add two factor authentication. Of course it will mostly be so they can blame the other party when the method gets owned. But they still won't have to anger users that prefer shitty passwords.
Having to work for a living is the root of all evil.
When I tried to set up a password "FuckingAce" (not used for anything anymore), it wouldn't let me, I worked out that it wouldn't allow the word fuck and a range of other swear words. Thanks Microsoft!
There is only one good explanation for this and that is storing the passwords either plaintext, or in a reversible encryption.
Why do I think that? Hashing a 64K bytes long password will give the same hash size as hashing a 4 byte one. Since they must store some representation of your password somewhere, they will run into space and performance trouble if they have to store long passwords. Imagine having to store 500 million passwords that can be 64K each. That's a whole lot more space to reserve (yes, even 4 byte passwords need that reserved, you never know in advance how big a password is going to be) than 16 bytes. 32 Terabytes of password storage vs. 8GByte that you need for 16 bytes and 500M passwords. For a typical hash using a 16 byte salt, you'd need less than 64 bytes per password. That would give you 32Gbyte of database for 500M users. I'd say that's a significant difference, especially since you want those passwords available all over your datacenters (think replication and synchronisation over WAN links, you easily have more than 10 of those databases on fast storage worldwide). That's a difference that is big enough to warrant a serious limit on password size if you choose to not hash it, but use plaintext or reversible encryption. The only other valid reasons I can think of for requiring a maximum size is the workload you give your browser, the internet in uploading the POST request and their servers in calculating the hash. Since I very much doubt that will be the reason and significance for 16 vs 256 bytes is negligible in terms of load, I can't see any other reason than plain text or reversible encryption.
For those of you that didn't get what all this means:
Hotmail and MSN are most likely storing your password in a way that hackers can trivially get to read it if they get hacked. You may want to use a unique password, or avoid their service completely.
I was promised a flying car. Where is my flying car?
Like other people already said before me, Hotmail NEVER accepted passwords longer than 16 characters. It would simply truncate it in silence. This is really a crap security policy and is notoriously known to be one of the worst security practices ever for password storage. Giving everyone awareness of the max password length, sounds to me like they REALLY want people to stop thinking of Hotmail is the place to be... I mean, think about it... technically, all this does is it makes Hotmail sound outdated and insecure. This might just be one more step they are taking towards forcing users to migrate to their new Outlook.com mail service.
Julio Henrique Morimoto juliohm@gmail.com
I would hope that large systems are taking measures against theoretical systems that could theoretically guess 100 billion passwords a second, such as by using PBKDF2:
http://blog.agilebits.com/2011/05/05/defending-against-crackers-peanut-butter-keeps-dogs-friendly-too/
Now I await someone much more knowledgeable in this area to come in and tell me why I'm wrong. (I welcome it, too; I don't want to be wrong any longer than I have to be.)
If you can't convince them, convict them.
Dartmouth Time Sharing System allowed control characters in passwords. Control characters were actually preferred because they did not print on the Teletype terminals, so the system did not have to take time to overprint them.
It works, but it misleads you into thinking that your password is stronger than it really is.
It sounds like a case of Buffy coming by. You know. Buffy. Buffy? Buffy! Buffy Overflow! She is there to blow your stack! I suspect they are trimming to 16 so that they don't have to deal with Buffy blowing the stack. And hey! All you need to do is watch them uppercase your password too, and then 26^16 iterations can solve that bad boy (4.3x 10^22 combinations) in no time! A half decent computer can bust that bad boy in a few hours. Usually people wanting internet security want longer passwords. Microsoft has kits for law enforcement (to check your dental records and perform rectal probes). Is this policy related to that?
There aren't 171k common-use words in the English language. The number is closer to 50k, and for words that people would pick "randomly", I'd be surprised if it's even 5k. By the time you get anywhere near 171k you're including words like "adactylous" and "grugrus" that no one is going to think of using in a password. Source.
At least they warn you; I've run into some sites over the years that silently drop characters after an arbitrary limit.
I was here when Slashdot truncated our usernames after an arbitrary limit. I was originally "Lord Kano - The Gangster Of Love", then one day I log in and my username was shortened to "Lord Kano - The Gang" or some such. I had to get Taco to shorten it to its current form. That was a pain in the ass.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
this has also been happening to Technet & MSDN logins for a while now
trying to access https://msdn.microsoft.com/en-us/subscriptions/securedownloads/default.aspx (or the equivalent technet downloads page) you get redirected to a login page that starts with https://login.live.com/login.srf and that form only alows 16 chars
i went bonkers when it started to happen, a few months ago, but then i got used to it... this is the regular crap that's pulled by MS these days. :(
root@127.0.0.1
PS: the password field itself allows more than 16 chars, but if you enter more characters, when you try to login you get back a message telling you that the password is wrong. I can only login if i enter ONLY the first 16 chars.
root@127.0.0.1
such speed would require a die-speed interconnect.
You got one?
Operation Guillotine is in effect.
That's enough for hotmail !!
An AC makes a reasonable on topic first post with a more or less accurate entropy count (note that both sexconker and Immerman's posts are right; since most users will get a-z with first letter capitalized and a single numerical substiution you get about 26 variations per character + 2 bits for the substitution that gets you less than five bits per character; of course if you use a password safe then you can use A-Za-z1-9 + about 20 - 30 punctuation characters depending on your keyboard, for about 90 characters giving you just over six bits). The only possible explanation that it gets modded to zero immediately is that it's anti-Microsoft and the shills are out with their large number of mod points as ever.
Now, for the next trick. If you store passwords as a hash, as you are supposed to, then there is no way to shorten them since without the end of the password you won't be able to make the hash match. This means that at least somewhere Hotmail is storing passwords in plaintext. That's actually a much worse breach than having limited passwords since there is no way for the user to overcome it.
AC's post was excellently insightful. It should be modded back up to infinity.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
My hotmail password has been limited to 16 characters for at least 3 years....
I hate to interrupt your bullshit with fully citable facts, but the OED says 171,476 in current use and 47,156 obsolete or deprecated.
Operation Guillotine is in effect.
Um... Not many really.
The hashing algorithm they use might have collisions past 16 characters anyway, so you'd get no added security out of extra characters, and you only hash and handle the hash from the first 16 characters.
A limit of 16 characters is theoretically a problem, but not really, since the vast majority of users aren't making passwords that long anyway.
Tell me again why it is terrible advice to use phrases?
Because you still have to remember which phrase goes with which site. If you're going to go through that trouble, why not just use a strong random password generator and store the result in a password safe?
Dewey, what part of this looks like authorities should be involved?
"Microsoft is making your life easier! You no longer have to input your whole password! Just put in the first 16 characters!"
Unfortunately, so it is for the hacker trying to hack your account as well..
And on the Eighth Day, Man created God.
Just wait until you try logging into Hotmail if they migrated your account to "Outlook". I don't like the new look.
Doesn't that imply clear text storing? If a irreversible hash mechanism is used to store passwords then the clear text length wouldn't matter.
An yes, IMNSHO clear text password storing should be made a criminal offence!
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
If you can make 100 billion incorrect guesses in a second to a remote webpage, there's really only two things to say:
1. I want your internet connection.
2. Password strength is not the critical flaw of that particular site - rather they should look into some way of not letting people try 100 billion passwords in a second without getting delayed/locked out.
I hate to interrupt your bullshit, but the quintessential source of information on the English language begs to differ.
Operation Guillotine is in effect.
29,403,847,100 was the combinations, the number of words are 171,476.
But thanks for playing, even if you failed really hard.
It's feasible that the first time you log in since this was introduced that if the password validates then it gets truncated and the has based on the first 16 characters is stored.
Once that's done any future password could be truncated to 16 and compared with the new hash based on the first 16...
That way you can safely transition from one for to another without passwords stored in plain text.
We're talking about pre-existing passwords here. Truncating a pre-existing password to 16 characters requires that you obtain the password in plain text. If this is doable on the server-side as the summary implies, they have utterly failed at password hashing.
If you're going to post smartass pseudocode, at least make it mean something. You clearly have no idea what the OP is talking about, unless you're implying that the site should update users' passwords to the next thing they type into the password field.
Yeah this is comptely true and it caused me a complete nightmare trying to get my Android phone with 3rd party mail app to connect to my Hotmail.
Took me a good few password changes to realise that the website was only using the first 16 and the app sending all characters which didn't match.
Lame having to choose a less secure password when using services from Ms. Even lamer that they didn't even provide any interface feedback on what had happened.
Alternately they they match your long password against the hash, trim the password to the new length, and overwrite your old hash with a hash of the trimmed password.
The real question is how were they able to truncate your password if they used a hash?
was hinting to the fact that it implies that MS stores your passwords somewhere in plain text.
In other words, vulnerable for hack attacks.
"Trump!!", the new Godwin.
...If you store passwords as a hash, as you are supposed to, then there is no way to shorten them since without the end of the password you won't be able to make the hash match. This means that at least somewhere Hotmail is storing passwords in plaintext....
Why? Couldn't hotmail be first trimming the password to the right length and then creating the hash?
Not existing ones, so quit pissin' yer pants over how Microsoft dun did it with storing passwords in clear text and whatnot.
It's just like when they switched to a more reasonable password scheme some time ten years ago, they didn't force existing accounts to get longer passwords. My live id is still only 4 characters, all lower case.
It's been trimming password to the first 16 chars for a while now. I only found out because Messenger only allows 16 chars in the password field, and when I would paste from KeePass my (longer) password I had set in the website, I'd get a beep.
The hashing algorithm they use might have collisions past 16 characters anyway, so you'd get no added security out of extra characters, and you only hash and handle the hash from the first 16 characters.
A 128 bit hash doesn't have collision. In theory it can, if the hash function is cracked then collisions can be created, but in practice there are just no collisions. And there are plenty of devices (iPhone for example), where using lots of digits, upper/lowercase etc. makes the password impractical to enter, so I'd rather use a long (>16 chars) of lowercase characters and rely on length to produce bits.
My hotmail password was truncated to 16 chars over a decade ago. This isn't news. Amazing that there is 350 posts on this article and nobody pointed this out
Here are some excerpts from the notes I took when creating accounts for various places. None of them are for Slashdot:
"Registration truncated the password and then emailed it to me."
"The password form said to use 8 to 6 chars, but seems to accept 20."
"Not a valid password (must be 6-12 characters, contain at least one letter, at least one number and no punctuation, symbols or spaces)"
"Passwords can't exceed 16 characters and causes a 'system error' when it contains non-alphanumeric characters. All this shit just for *****. Is it worth it?" UPDATE: It wasn't.
"Kept throwing a strange error. It turns out it wanted to be alphanumeric."
"Please use letters and numbers only."
"Can't exceed 10 characters in password."
"Truncated the password to 13 characters and failed to accept the full password."
They might have never used more then 16 characters, there is no reason for the server side implementation to use all the input given to it, even if it doesn't prompt.
just sayin'
Exactly. The fact that they can do this practically screams "We haven't bothered to implement even the most basic security precautions on our password database!" I mean come on - wasn't it established that storing recoverable passwords was a bad idea back in the text-only mainframe days? I could kind of understand it if it was some backwater site created by a high-school computer wiz, but Microsoft? Sigh. Yeah *sure* I'll trust your security software to keep my home PC safe - after all you're the company that did such a great job on the OS itself that running separate security software is practically mandatory.
The explanation is in an update at the end of the article. They have always just used the first 16 characters, and hashed that, and ignored any additional characters you enter. The only change here is that they don't anymore let you enter the additional characters that they ignored anyway.
Now, for the next trick. If you store passwords as a hash, as you are supposed to, then there is no way to shorten them since without the end of the password you won't be able to make the hash match. This means that at least somewhere Hotmail is storing passwords in plaintext. That's actually a much worse breach than having limited passwords since there is no way for the user to overcome it.
The article says they have always just used 16 characters and ignored additional entered, so the hash was always based on the "shortened" password.
They've always hashed only the first 16 characters. They've never stored passwords in cleartext (though I think they sent them in cleartext previously).
Learn to love Alaska
Or possibly they've been trimming the password all along, ala unix-style 8-character crypt.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Deliberately naming names to indict the guilty... :-|
Bendigo Bank here in Australia truncates your password to just 8 characters, and like several other banks that I have come across, it also disallows punctuation or whitespace characters. So just enough characters to spell "FuckMeUp".
At least they do have the grace to offer one-time-key widgets, (FWIW), at a price...
Had to change passwords because of these various changes!
www.pousadasemmonteverde.com.br
With all the interesting stories slashdot users vote for waiting to be chosen, this and the last 4 or 5 are the lamest. I mean, the kindle isn't being sold at Walmart? Sheesh.
I was wrong, and a man should admit it when he's wrong. If I could retract my above post, I would. I kind of lost it, and shouldn't have posted, was over-tired and not feeling 'nerdy', I guess. And now that I've read the 350+ comments that have accumulated, I once again have learned much. 10 lashes with a wet noodle for me.
I apologize to the /. community, and to Timothy, for my blatant lapse of judgement. I won't allow myself to let this happen again. SF
I didn't need yet another reason NOT to use Hotmail, which I've never done, and most likely never will. However, you've gone ahead and provided me one. So, thanks. Why not make people's lives even easier, reducing the length and number of possible passwords even further, by just having your e-mail account holders type in their user names, and then giving them a multiple choice question, such as "what is your favorite color" and if they click the right one, they are logged in.
If I want my password to be "fuck the following companies, Apple, Microsoft, and SCO!!!" then I should be able to have that as my password. No one should be able to tell me what my password MUST be, and I particularly hate it when someone insists I have two "special characters", two numbers, two capital letters, etc. as part of my password. If I am allowed to have an only eight character long password, the insistence that two characters each must be from some set only means each character has another 26 or maybe 36 or 40 possible states, which only marginally increases security.
A password in all lowers, that is 8 characters long, has 26^8 possible words, or 208,827,064,576 combinations, starting with aaaaaaaa and ending with zzzzzzzz.
A password in mixed case and the same length, has 52^8 possible words, or 53,459,728,531,456 combinations, that's only 256 times as many.
A password in all lowers again, that is 16 characters long, has 26^16 possible words, or 43,608,742,899,428,874,059,776 combinations, you fucking Microsoft dumbasses. LONGER PASSWORDS ARE BETTER, ones that have a bunch of bullshit requirements for special characters are a pain in the ass. Far from contributing to security, they're hard to remember prompting some people (I once surveyed) the more complicated the password is required to be, the greater the odds that the average person will write it down somewhere, or several places, and that REDUCES security, Probably a lot more than the benefit recognized by using a greater number of letters/characters to begin with.
If all you know about my password is that it is at least 8 characters, you would have a tough time getting, "fuck the following companies, Apple, Microsoft, and SCO!!!" by brute force or guessing, since you'd have to get the capitalization right, you'd have to get the punctuation right, and my hypothetical password, (or more appropriately pass-PHRASE) is about 60 characters long, including spaces, which count too. Now since I am (or should be) at liberty to use capital letters and punctuation, pretty much anything I can enter into my computer, and have no real arbitrary limit on length, let's see... 52 + 20+ 12 for the letters in both cases, numbers and punctuation above them, and a dozen for other marks the keyboard has, and I have 84^60 which gives me about 2.86 * 10 ^ 115 possible combinations, that's a lot higher than the Hotmail limit, and if I seem annoyed about someone with no business imposing arbitrary conditions and restraints on me and what I want to do, usually for idiotic reasons. I just tried to buy a gas can, and now they come in many assorted kinds but the thing they all have in common is that they all feature a CPSC mandated do-hickey in the spout that is supposed to reduce leaks, but actually it causes the container to leak, which is really fucking retarded. Think about it.
Yep, but what are they "saving" by this? Storage, when they could change the algo for less storage without changing the actual password? Bandwidth, by having users log in with less characters? ...
This is as fishy as Apple not allowing spaces in iTunes passwords
What if the hashed value that was previous stored was already the truncated form of the password? It doesn't follow that Hotmail must be using plaintext passwords.
Or they just were already only storing 16 and are now telling you about it.
16 characters ought to be enough for anybody.
;-)
methinks he mean cracking locally...
Which isn't ever likely to be an issue for your hotmail password. While there are some leaks of password hashes now and then out there on the net, they are pretty rare compared to how many sites that require you to authorize. Saying that your hotmail password has to protect against offline cracking is a bit like saying your car should protect you from meteor strikes.
Shill shill shill. Get aids and die you fucking bozo.
Too right and that's why my password for a lot of sites is 'mypassword'.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
I agree....password length should be infinite. Why? Reason is to keep hackers from figuring out your password. and when the special characters are allowed.....it throws a complete loop on a hackers time to access these types of passwords....ergo "SAFER THAN ALL OTHERS" Longer and more different characters that's created same way Roboform creates using an algorithm using capitals, lower case letters , numbers and special characters. The long the harder for a hacker. Maybe Microsoft is tired of trying to hack into these accounts............rotfl Shortening the passwords makes it easier for a hacker......DUH. Shouldn't take a rocket scientist to figure out that one. My 2 cents worth: a7%6j2#45%9kut%7ki8*9lifc#n6rc#,0plo See how hard that one would be to figure out. It would take the hacker over a million years to figure it out,,,,he would long be dead before his machine blew a circuit too.......lol
If you store passwords as a hash, as you are supposed to, then there is no way to shorten them since without the end of the password you won't be able to make the hash match. This means that at least somewhere Hotmail is storing passwords in plaintext.
Or that they've always silently thrown away anything past the 16th character.
This used to be the case with old Unix passwords too, except that the limit was 8 characters: if your password was hunter123, you could log in with hunter12, hunter124, etc.
CJ
Ah, arrogance and stupidity, all in the same package. How efficient of you. -- Londo Mollari
How do Hotmail manage to shorten an existing password? I mean, unless Hotmail store the clear text version of the password all they have is a hash or something, and they can't work out a shorter version of the cleartext password from the hash ... can they?
This hotmail crap makes me laugh. CIBC's own iPhone app limits the password to 8 characters, simply ignoring the rest.
I emailed them about it and the reply was "security is our main focus".
And you worry about 16 char password for an email account...
and i'll show you mine
Assuming a perfectly distributed hash for the purpose, and that your passwords have 64 valid letters, and your password hashes are the equivalent of a 16 byte string, you are guaranteed to have more than one password string that hashes to the same hash string - 256^16 < 64^22. There may be passwords with no collisions, you cannot say that all passwords would have not collisions.
Parent may have been assuming that the password box allowed any ascii character, in which case 256^16 < 256^(16+n) (where n > 0), which would also guarantee that at least some hashes would have colliding passwords.
If the hash is hex encoded and only takes up 16 characters in that state, then it gets even worse.
Can you be Even More Awesome?!
Just turn on their two-factor authentication protocol, then you can use a somewhat shorter password and still be confident that your account is safe.
What's that? You say they don't offer two-factor auth? Umm... what year is this? My gaming accounts offer two-factor, why in the world would anyone use an e-mail service -- given that your e-mail account tends to be the master key to all of your other on-line accounts via the "reset password" process -- which doesn't?
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Ditto "At least they warn you"
Suddenly, "Invalid Password"!
Work with tech support for hours.
Reset to original long password. Fail.
Reset to short password. Success.
Reset to original long password. Fail.
Tech supports elevates problem to Ivory Tower.
Ivory Tower: "What's your password?"
16 character password.
"Well, there's your problem. We just limited passwords to 12 characters."
"Did you tell anyone?"
"No. Why should we?"
Must. Control. Fist. Of. Death.
*
Wait a minute! What happened to auto-truncate? We used auto-truncate XX years ago!
And in fact i entered an 11 letter long one when I signed up, but they shortened it to 6 letters.. I don't know if it continues to accept the rest of the letters invisibly, but it only shows asterisks for the first 6 letters.. And this is after (this worldwide famous bank) implemented their recent "improvements" in security...
Everyone here knows Microsoft is notorious for POOR security. Only allowing 16 character passwords now is not a surprise to me. But I couldn't believe how insecure they really could get until I started working on a project with my company to integrate Microsoft's Dynamic CRM (in the cloud) to a new application we are building. I was APPALLED to learn the ONLY way Microsoft will let you do "secure" web service calls from CRM is using HTTP Basic Auth (over HTTPS if you wish - oh gee how nice of them). They are even unable to do WSSecurity - in fact they don't support it. Gee how many people here couldn't rip apart Basic Auth and get the username/password? I'm sure very few couldn't. Now if you host Microsoft's CRM "in house" you can do more to secure your web service calls - but host it in the cloud and your screwed!
The Truth is a Virus!!!
If hotmail tells you to only use the 16 first characters of your password, doesn't that mean that they store passwords as passwords and not as hashes? There are no way they can tell the hash value of a shortened variant of a password if the password is not stored somehow.
http://www.tamersahin.com/mssecrets/hotmail.html TL;DR it was not easy!
I figured that, but thats a hard assertion to make, because the password has to be passed in final form from the inputted text box through the hashing algorithm no matter what - ideally that operation is atomic and not interceptable, but you can't construct a hash character by character (at least not that I know of), so you have to take the whole input somewhere and then hash it. Somewhere along the line the whole input has to exist in memory.
This has been the case for at least a year, probably longer:
http://www.blackberry.com/btsc/KB19709
Dan.
I just signed up for a service for my dog and my password could only be 6-8 character. I couldn't believe it!
This is the correct answer. Hotmail passwords have always been truncated after the 16th character.
http://windows.microsoft.com/en-us/windows-live/microsoft-account-password-16-characters
What the fuck does it mean to be "compliant" with a comic strip?
The same thing it means to be compliant with an HTTP error code: it's figurative language. But because I understand that people with certain mental conditions have trouble understanding figurative language, here's a literal version: The developer of the web site's user account system appears to have recognized the way of making passphrases expressed in the comic as a valid way of making passphrases with sufficient entropy.
limits to 8 characters..!
I made a 32 character long randomly generated password, and despite Amazon saying it was accepted, it never worked. They told me I would have to call and tell one of their employees the password I wanted to use.
Can't believe Mi
yes; apparently so; it still shows total stupidity (if someone puts most of their entropy at the end of the password you really lose) but means that their security is not getting worse.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
Without spoofing the browserID to something mobile the high bandwidth needed for preloading all those emails in a presumably inefficient fashion means that you won't be checking spammail from a connection with packet loss or low bandwidth anymore (abroad on WiFi or Internet cafes)
So it's not the first time we've seen functionality reduced. Also a shame for people using IMAP or pop3 where longer passwords can make more sense.
A blog I run for the wealth
my bank only allows 5 chars (alphanum)
For years I used a long password at Vanguard. Then I discovered they only use the first 10 characters. So not only do that use weak passwords, they don't even tell you. You could have a long password, but if the first 10 were easily guessed or socially engineered, you wouldn't even know it.
Uhm. Did you actually read the GPs comment? My reply makes perfect sense in that context.
Supposedly hotmail is now running on Windows 2012 as a dogfooding measure. But before hotmail was acquired by MS and for a fair bit after, most if not all infrastructure was (?net)BSD based. So, is the password issue a leftover artifact from the BSD days that MS is just being more forthright about now, or is this a limitation of Windows 2012?
Also, imagine Theo laughing in a corner while reading this...
Actually, hashes would match if characters after the first 16 were dropped in the original password capture process.
What would not match in that scenario would the full longer password. In this scenario, it actually makes sense to automatically drop all characters after the first 16.
And look mom, no plaintext passwords stored anywhere.
Am I the only one that gets the hunter2 reference? http://www.bash.org/?244321