Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hotmail No Longer Accepts Long Passwords, Shortens Them For You

Posted by timothy on from the isn't-that-handy? dept.

An anonymous reader writes "Microsoft doesn't like long passwords. In fact, the software giant not only won't let you use a really long one in Hotmail, but the company recently started prompting users to only enter the first 16 characters of their password. Let me rephrase that: if you have a password that has more than 16 characters, it will no longer work. Microsoft is making your life easier! You no longer have to input your whole password! Just put in the first 16 characters!" At least they warn you; I've run into some sites over the years that silently drop characters after an arbitrary limit.

12 of 497 comments (clear)

  1. Clearly by Narnie · · Score: 2, Informative

    Somebody hasn't read the relevant xkcd.

    --
    greed@All_Evils:~#
    1. Re:Clearly by Anonymous Coward · · Score: 3, Informative

      http://xkcd.com/936/

  2. Ummm, nothing new here.... by Anonymous Coward · · Score: 5, Informative

    Umm, TFA says that Hotmail has never accepted passwords longer than 16 characters - it used to silently truncate them. The only thing that's changed is that Hotmail is now letting you know that it's truncating the password.

  3. Huh. by jd · · Score: 5, Informative

    Well, in the Bad Old Days, Unix passwords could only be 8 characters, later extended to 16. Less concerned with the original scheme, more with the fact that Microsoft may be using password algorithms from the 1980s.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  4. How were they storing the passwords before? by halexists · · Score: 5, Informative

    RTFA and you learn that they've only been storing the first 16 characters for years, letting you type away in vain. Otherwise they'd have to produce new hashes for the "shorter" passwords that they expect users to use now. (There's no such thing as reading the first 16 digits of a hashed password).

  5. Re:16 x 5 bits = 80 BIT !! by sexconker · · Score: 2, Informative

    Where in the hell do you get 5 bits from?
    A-Za-z alone gets you past that (52), add in 0-9 and some symbols and you'll be well past 64 (2^6).

    My KeePass database lists my Hotmail address's password as having 99 bits of entropy.

  6. Re:You need more than 16 char by ATMAvatar · · Score: 4, Informative

    Even if you as an attacker know that the user chose 2 arbitrary words out of the English language as their password (or that only two mattered), and you knew there was a space between them, and you knew the login was case-insensitive, you still have to deal with the (minimum) 29,403,847,100 possible password phrases (171,476 common-use words times 171,475 unique second words, if we ignore word duplication and obsolete words). This also assumes, of course, that the password used correct spelling and did not in any way try to obfuscate the words with replacement schemes like l33t speak.

    Tell me again why it is terrible advice to use phrases?

    --
    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
  7. Re:You need more than 16 char by Anonymous Coward · · Score: 0, Informative

    29,403,847,100 possible words
    2 random words used for simple passphrase

    29,403,847,100^2 = 864,586,224,280,178,410,000 combinations

    You must live in a fun world where 8.64E20/1E11 equals 0.3

  8. Re:When this happens... by blueg3 · · Score: 3, Informative

    you open up the crypto library on your system as a potential attack vector.

    If your crypto library cannot hash an arbitrarily-long string of arbitrary binary data, then it's a very bad crypto library. Or, more likely, you are using it stupidly.

  9. Re:if they used a hash...? by amiller2571 · · Score: 5, Informative

    We understand what he means, but if you did not read the update here you go

    This doesn’t mean that your password has been shortened. Actually, Windows Live ID passwords were always limited to 16 characters—any additional password characters were ignored by the sign-in process. When we changed “Windows Live ID” to “Microsoft account,” we also updated the sign-in page to let you know that only the first 16 characters of your password are necessary. To avoid this error message in the future, you only need to enter the first 16 characters of your password.

  10. Re:When this happens... by gman003 · · Score: 3, Informative

    Look at an ASCII table sometime.

    The first 0x20 characters, plus 0x7F, are "non-printable" or "control" characters, having no visual representation in any "standard" font, instead having some effect on the system - NUL, start-of-header, start-of-text, end-of-text, enquiry, acknowledge, bell, backspace, tab, line feed, vertical tab, form feed, carriage return, shift out, shift in, data link escape, device codes 1-4, and a few others I can't remember. The other 0x5F are "printable" - they actually show some character on the screen. That includes everything from space to ~, literally.

    Those are official terms. ISO encodings and Unicode add more printing and non-printing characters, but they all have the same base. And I suppose EBCDIC has its own set of control characters, incompatible with ASCII et al (although if you're basing your password system on "what EBCIDIC allows", you fail on at least a dozen levels already).

  11. Re:Hah! Take that, my bank! by Bert64 · · Score: 1, Informative

    And you expected anything better from MS? The same company who's flagship OS not only uses an unsalted hash for storing user passwords, but actually allows you to authenticate using just the hash without ever knowing the original plaintext, thus making the hash itself the plaintext password?

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!