Slashdot Mirror
Hotmail No Longer Accepts Long Passwords, Shortens Them For You
An anonymous reader writes "Microsoft doesn't like long passwords. In fact, the software giant not only won't let you use a really long one in Hotmail, but the company recently started prompting users to only enter the first 16 characters of their password. Let me rephrase that: if you have a password that has more than 16 characters, it will no longer work. Microsoft is making your life easier! You no longer have to input your whole password! Just put in the first 16 characters!" At least they warn you; I've run into some sites over the years that silently drop characters after an arbitrary limit.
Who in their right mind would trust anything sensitive enough to require a 16 character password to Hotmail?
Any insufficiently advanced magic is indistinguishable from technology.
Most website authentication systems use a hash to store passwords. The unhashed string is formed from a salt, some unchanging record information (such as the user's username, or date of registration), and the user's plaintext password. During the hashing process, all of this gets distilled down to a fixed length string regardless of the complexity of the password. Thus, a lengthy password is not necessarily more secure than a short but sufficiently complex password. Any site worth their salt (pun intended) will lock an account after a number of failed logins anyway. The majority of compromised accounts come from successful phishing and social engineering, not from randomly guessing passwords. Now, encryption on the other hand should use a very strong and long password.
Seriously who THE FUCK cares?
Uh, the guy who wants to crack your password.
Don't give a shit what color hat he has on, this dumbass move is making his life a lot easier regardless.
The question that should be asked is, "What's a 'Special Character' and why shouldn't it be allowed in a password?"
I had this argument with a developer the other day.
Him: "What characters should be allowed in this text field?"
Me: "Um, How about all of them, at least the printable ones."
Him: "What about special characters?"
Me: "Give me an example."
Him: "The ! sign"
Me: "What's so special about that? I can type it? I use it at the end of some sentences when I'm angry. Why would you not allow it?"
Him: "What about non-latin characters?"
Me: "What, are they special too?"
Him: "You need to specify a list of every character that is allowed in the text field, otherwise I cannot program it."
Me: [Facepalm]
etc..
There doesn't seem to be any compelling security reason to exclude certain characters from eligibility for use in a password.
This is, well, stupid. I don't even know my own passwords. I have so many of them and they are so long with so many special characters that it would be impossible to keep up. I keep them in KeePass and just copy/paste them in the text box (it deletes the clipboard). Why place such a restriction on passwords when it is more important now then ever?
UNIX operating systems used to do that, too. This was happening as recently as early releases of OSX. Only eight characters of passwords were significant.
Any site worth their salt (pun intended) will lock an account after a number of failed logins anyway. The majority of compromised accounts come from successful phishing and social engineering, not from randomly guessing passwords.
That second fact is the reason why your first sentence is incorrect. Locking an account after a certain number of failed login attempts introduces a kind of denial of service attack on the site (at least, denying that particular user access) while not actually stopping any feasible attack vector. It's the kind of security flaw you see implemented by coders that don't really understand security. Preventing too many attempts in too short a time is a security feature. Locking an account after too many attempts is a security flaw. You might as well just give hackers an input field where they can type in the name of any legitimate user they want to lock out of a system illegitimately.
"Convictions are more dangerous enemies of truth than lies."
That doesn't say anything about how it's stored in the database.
The real question is how were they able to truncate your password if they used a hash?
Also, wasn't it Microsoft that came up with the oxymoronical term "reversible encryption"?
You're perhaps thinking of hashing. Reversibility is pretty much a requirement for encryption.
Exactly. The fact that they can do this practically screams "We haven't bothered to implement even the most basic security precautions on our password database!" I mean come on - wasn't it established that storing recoverable passwords was a bad idea back in the text-only mainframe days? I could kind of understand it if it was some backwater site created by a high-school computer wiz, but Microsoft? Sigh. Yeah *sure* I'll trust your security software to keep my home PC safe - after all you're the company that did such a great job on the OS itself that running separate security software is practically mandatory.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
The real question is how were they able to truncate your password if they used a hash?
Maybe they always truncated the password, just didn't tell you.
That's enough for hotmail !!
An AC makes a reasonable on topic first post with a more or less accurate entropy count (note that both sexconker and Immerman's posts are right; since most users will get a-z with first letter capitalized and a single numerical substiution you get about 26 variations per character + 2 bits for the substitution that gets you less than five bits per character; of course if you use a password safe then you can use A-Za-z1-9 + about 20 - 30 punctuation characters depending on your keyboard, for about 90 characters giving you just over six bits). The only possible explanation that it gets modded to zero immediately is that it's anti-Microsoft and the shills are out with their large number of mod points as ever.
Now, for the next trick. If you store passwords as a hash, as you are supposed to, then there is no way to shorten them since without the end of the password you won't be able to make the hash match. This means that at least somewhere Hotmail is storing passwords in plaintext. That's actually a much worse breach than having limited passwords since there is no way for the user to overcome it.
AC's post was excellently insightful. It should be modded back up to infinity.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
It's feasible that the first time you log in since this was introduced that if the password validates then it gets truncated and the has based on the first 16 characters is stored.
Once that's done any future password could be truncated to 16 and compared with the new hash based on the first 16...
That way you can safely transition from one for to another without passwords stored in plain text.