Slashdot Mirror
Hotmail No Longer Accepts Long Passwords, Shortens Them For You
An anonymous reader writes "Microsoft doesn't like long passwords. In fact, the software giant not only won't let you use a really long one in Hotmail, but the company recently started prompting users to only enter the first 16 characters of their password. Let me rephrase that: if you have a password that has more than 16 characters, it will no longer work. Microsoft is making your life easier! You no longer have to input your whole password! Just put in the first 16 characters!" At least they warn you; I've run into some sites over the years that silently drop characters after an arbitrary limit.
Who in their right mind would trust anything sensitive enough to require a 16 character password to Hotmail?
Any insufficiently advanced magic is indistinguishable from technology.
The question that should be asked is, "What's a 'Special Character' and why shouldn't it be allowed in a password?"
I had this argument with a developer the other day.
Him: "What characters should be allowed in this text field?"
Me: "Um, How about all of them, at least the printable ones."
Him: "What about special characters?"
Me: "Give me an example."
Him: "The ! sign"
Me: "What's so special about that? I can type it? I use it at the end of some sentences when I'm angry. Why would you not allow it?"
Him: "What about non-latin characters?"
Me: "What, are they special too?"
Him: "You need to specify a list of every character that is allowed in the text field, otherwise I cannot program it."
Me: [Facepalm]
etc..
There doesn't seem to be any compelling security reason to exclude certain characters from eligibility for use in a password.
The real question is how were they able to truncate your password if they used a hash?
That's enough for hotmail !!
An AC makes a reasonable on topic first post with a more or less accurate entropy count (note that both sexconker and Immerman's posts are right; since most users will get a-z with first letter capitalized and a single numerical substiution you get about 26 variations per character + 2 bits for the substitution that gets you less than five bits per character; of course if you use a password safe then you can use A-Za-z1-9 + about 20 - 30 punctuation characters depending on your keyboard, for about 90 characters giving you just over six bits). The only possible explanation that it gets modded to zero immediately is that it's anti-Microsoft and the shills are out with their large number of mod points as ever.
Now, for the next trick. If you store passwords as a hash, as you are supposed to, then there is no way to shorten them since without the end of the password you won't be able to make the hash match. This means that at least somewhere Hotmail is storing passwords in plaintext. That's actually a much worse breach than having limited passwords since there is no way for the user to overcome it.
AC's post was excellently insightful. It should be modded back up to infinity.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
It's feasible that the first time you log in since this was introduced that if the password validates then it gets truncated and the has based on the first 16 characters is stored.
Once that's done any future password could be truncated to 16 and compared with the new hash based on the first 16...
That way you can safely transition from one for to another without passwords stored in plain text.