Hotmail No Longer Accepts Long Passwords, Shortens Them For You

An anonymous reader writes "Microsoft doesn't like long passwords. In fact, the software giant not only won't let you use a really long one in Hotmail, but the company recently started prompting users to only enter the first 16 characters of their password. Let me rephrase that: if you have a password that has more than 16 characters, it will no longer work. Microsoft is making your life easier! You no longer have to input your whole password! Just put in the first 16 characters!" At least they warn you; I've run into some sites over the years that silently drop characters after an arbitrary limit.

Hah! Take that, my bank!

12 letters, no special characters my ass.

No, you may not know which bank I use.

Re:Hah! Take that, my bank!

[rwa2]

At least they warn you; I've run into some sites over the years that silently drop characters after an arbitrary limit.

Nah, they'd never do that at a reputable large financial institution... like, say, www.americanexpress.com

Maybe they somehow figured out how to make money from handling fraud claims?

Re:Hah! Take that, my bank!

[Anrego]

Stupid as this whole thing is, Microsoft does make one good point.

With the ease of phishing and harvesting passwords from other services where the user has used the same one.. who is gonna bother brute forcing a password.

It's like if your car has a notoriously easy to pick lock.. but you park in a parking lot where no one else even bothers locking theirs (and some have even had their doors removed for even more convenience..)

Re:Hah! Take that, my bank!

[Anrego]

It's kind of a back and forth game..

You can't outright block access to an account after a certain number of tries because that creates an easy way to denial of service (someone can lock you out of your account just by entering a few bogus passwords). So you either block after a certain number of failed attempts (at which point botnets come into play) or install a captcha (at which point standard spam-level anti-captcha stuff comes into play.

But my original point was that there are so many much easier ways to get accounts, why is anyone going to go through all that trouble.

There is an argument for brute forcing when someone has broken into a server and stolen a list of hashed passwords (as then they can crank away at them all they want) so limiting to 16 chars kinda makes that a bit easier.. but I still think given hotmails user base they could easily just check against hashes for "password123" and get more than enough hits to make it not worth going further...

Re:Hah! Take that, my bank!

[roc97007]

> Nah, they'd never do that at a reputable large financial institution... like, say, www.americanexpress.com

Yeah. As you probably know, when you activate an AmEx corporate card, they require you to create a pin, and the voicemail says to use something you will remember, like the month/day of your mom's birthday.

The automated system will actually REJECT a pin that is not a valid month/day. (Well cool. 366 total possibilities. That's not easy to brute-force at all.) I futzed with the system until I got a real person, and insisted I wanted to use a randomly generated number instead (which didn't happen to be a valid month/day). He said he couldn't do that, it had to be a date. He asked me for my mom's birthday and said he would set it to that. (My theory is that they do this to cut down on service calls.) I pointed out that this string could be uncovered by anyone with facebook access. He said that this is what it had to be. I went over his head. Eventually I found someone with the authority to set the pin to a string of my choosing. As far as I know, I'm the only AmEx card holder who has a pin set to something other than the customer's mother's birthday.

This information (that AmEx has this requirement), could be of huge use to phishers were it ever, you know, published in a public forum.

Re:Hah! Take that, my bank!

[metalmonkey]

americanexpress was the worst, the 'Set password' page input field was limited to the maximum number of characters however the 'Login' page was not.

So if my password is: 'myreallylongpassword', it would appear accept my password. But it would be only only use 'myreallylong' as input.
When I go to login and enter 'myreallylongpassword' it took the whole password as input and denied me access, since it didn't equal to 'myreallylong'.

I went through quite a few password resets before I figured this out.

Re:Hah! Take that, my bank!

[Aaron+B+Lingwood]

The only Australian bank that I use has the following setup-
Login: Primary Account Number
Password: 5 characters, A-Z 0-9 (no lower case)
Account locks after 3 incorrect attempts.

As a measure against the key-logger, the password is entered by clicking on a virtual keyboard which repositions itself on the screen randomly after each click.
Can not login without Javascript enabled. This measure is useless on mobile devices though as the virtual keyboard fills the entire screen and thus can not be repositioned. If an attacker found a chink in the armour that would allow multiple password attempts without locking the account (likely, as this appears to be done in script), a brute-force will likely succeed in a very short amount of time.

On the plus-side, I am informed of ALL login attempts and transactions via SMS and must login and enter a one-time-pad to authorize larger transactions. I am also given the previous login time and date upon login and a separate code is required to add a new payee or for overseas transfers.

AOL Used to....

Along time ago I had a 10 character password that ended with some numbers for an AOL account. I fumbled the numbers at the end of the password once, aware of such, but hit login anyway and it still let me in. I tested and confirmed it not to care what numbers were at the end of the password. Later it was revealed that AOL was just making a Hash of the first 8 characters of the users password, so it really didn't matter what you entered past the 8th char because it would be trimmed before computing the hash....

Why have such short limits?

[Paradigm_Complex]

As fun as it is to bash Microsoft, they're not the only ones who do this. Presumably there is some technical reason why this is done, but I am at a loss for what this would be. Would someone be able to explain to me the reason why such limits are put in place?

It seems with modern computer capability that absurdly long passwords would be trivial. The hashed password length would be the same irrelevant, so I can't see storage space as the issue. The only other idea which comes to my mind is the computational difficulty of hashing the passwords, but even that has to be trivial by today's standards, even with millions of users hitting the servers. Why not go overboard and just allow several kilobytes worth of password?

Re:Why have such short limits?

[bertok]

Every time I see any kind of password length limit somewhere, I instinctively know that somewhere behind the scenes there is this table column:

    user_password VARCHAR(16) NOT NULL

It's the same sinking feeling I get when I see the "the following special characters cannot be used in the password field" error message, which just tells me immediately that the code that submits the password field looks like:

    $cmd = "UPDATE ... user_password='" + $password + "' ... "

There really, really needs to be a "guild of programmers" or somesuch, along the lines of the Bar Association, so that anybody who writes code like the above can be summarily ejected from it.

As opposed to...

[tepples]

As opposed to the sign-up page at Phil's Hobby Shop, which pretty much advertises that it's 936-compliant.

Banks just as bad

[Asmor]

TD Bank, my current bank, has the following password requirements:

6-32 characters, no spaces, alphanumeric + the following symbols only: [list of characters removed because /. thought it was spam; it was a fairly short list, though. Didn't even include an asterisk]

Additionally, back when I signed up for online banking with them, I filled in a bunch of garbage for the security questions because security questions are just an attack vector, and I don't forget my passwords (I highly recommend KeePass for managing passwords, it's amazing).

Anyways, a few years ago I went to log in and was prompted to answer a security question. Wtf? I had to call customer service to get my security questions reset. Now, if they don't recognize the device, or every so often, in addition to password you need to answer a security question.

This means that I'm forced to either give real answers that I'll remember (and that anyone else could figure out to hijack my account), bogus answers that I can try to memorize, or garbage that I write down and hang onto.

I also recall, around 10 years ago, I was using Bank of America and they had a limit of either 12 or 16 characters on your passwords.

Of course, my email, web hosting, and even my fucking World of Warcraft use actual two-factor authentication, with phone apps that generate codes that are only good for around 30 seconds, and outside of a man-in-the-middle attack they're practically bulletproof. Why the fuck can't my online banking be as secure as them?

Re:Clearly

[UnknownSoldier]

I've posted about this in the past http://slashdot.org/comments.pl?sid=3001279&cid=40757735

> Inconsistent password policies for length, characters and expiry date.

We _really_ need standards for passwords & passphrases: minimum LENGTH and SYMBOLS included.

If you site can't handles passwords / passphrases around ~ 96 characters long with the characters (space) 0x20 - 0x7E, your site is *broken*.

The same crap with usernames. Stop limiting me to a max username length of 12 characters A-Z,a-z because your shitty architect / programmer / DB guy doesn't have a clue about security.

I propose a multi-tiered system with a schema like:
            NAME#@%
            PASS#@%

Where
    # is the max length allowed * 16
    @ represents which glyphs are allowed to be. Higher is better, which each level including the characters from the previous set
A = A-Z (0x41-0x5A)
B = a-z (0x61-0x7A)
C = 0-9 (0x30-0x39)
D = space,!-/ (0x20-0x2F)
E = :-@ (0x3A-0x40)
F = [-` (0x5B-0x60)
G = {-~ (0x7B-0x7E)
% is the number of months the password is valid for.

Examples:
NAME1C0 is 16 characters, in range: A-Z,a-z,0-9, 0 = never expires
PASS6G3 is 6*16 = 96 characters, in range 0x20 .. 0x7E, expires in 3 months

Then we flame & shame the idiots, er sites, that use crappy username and password polices.

Maybe time for RFC ?

I generate my passwords

My password is thus: SHA1 HMAC( PW, domain + salt ) -- Output as Base64 (where + is concatenation). I use this method because I can recreate the password at any time from anywhere. I don't rely on anyone else's password systems, I just use this simple algorithm which I can implement on any machine with the simple cryptographic primitives (hashed message authentication code, and a hash). I get a different password for each site, while using the same password everywhere. I change the salt and/or main password every so often, and only have to remember the current and last PW as I migrate to the new password as I run into sites I use.

At first I created a table within the bookmarklette that would allow me to set additional rules for passwords, limit length, use a different set of characters for the base64 output -- The hash would be filtered on a per site basis to comply with all the bullshit. I could deal with such shortcomings five or ten years ago, but not today. Synchronizing the booklmarklette defeats the purpose of using a simple algorithm. If a site won't accept something like: NzE1YWViMGQwMjU3NWRlNmI3ZDQ0NTQ0NzI4MjE3MGU5YzRlMWY3NiAgLQo= as a password then I just don't use the service.

I'll never use any Microsoft products, so I'll have to rely on others to discover: I imagine MS would simply ignore characters beyond the new limit? If not it would surely break password entry systems like my own or even saved password mechanic in all browsers... Including IE. It wouldn't surprise me if MS did break password entry for long saved passwords -- Smart folks who are security aware aren't their target audience.

Re:How were they storing the passwords before?

[VTI9600]

From TFA:

[...] this can only mean one of two things, according to Kaspersky:

        Store full plaintext passwords in their database and then compare the first 16 chars only.
        Calculate the hash only on the first 16 and ignore the rest.

I’m fairly certain Microsoft isn’t stupid enough to go with the first option. Storing passwords in clear text would be a disaster,

I wouldn't doubt for a second that MS would go with the first option. They are, after all, competing with Yahoo :-) Also, wasn't it Microsoft that came up with the oxymoronical term "reversible encryption"?

On the other hand, Hotmail was originally built on FreeBSD by non-MS types, so who knows? To this day I still find it amusing to think of all the difficulty they must have had porting the platform to Windows.

Re:When this happens...

[Obfuscant]

Him: "You need to specify a list of every character that is allowed in the text field, otherwise I cannot program it." Me: [Facepalm]

The developer is right. You are trying to enforce an ambiguous requirement. "All of them, at least the printable ones" is not specific. "Printable" assumes a font. In the symbol font (as found on Winders) there are a lot of "printable" characters that don't show up on a keyboard. Since they are mapped into the same binary values, how do you differentiate?

"My password has a an "upside down A" but you are accepting a double quote and letting me log in. It's broke!"

This is not a trivial issue. It appears that someone has had the same kind of conversation with some web developers regarding proper email addresses.

Him: "What characters should be allowed in an email address?"

Boss: "Anything that is in an email address."

Him: "Hmmm, ok, all I've ever seen are A-Za-z0-9.- and one '@'. That's what I'll code.

Me: "Hey, your website it broken, it doesn't accept valid email addresses! Don't you idiots bother to read the RFC for internet messaging when you program this stuff?"

Him: "It works fine with my address."

Me: "It's broken AND HERE IS HOW TO CHANGE THE JAVASCRIPT CODE TO FIX IT."

Him: "How did you get ahold of our proprietary javascript code?"

Do you see the problem?

Re:Clearly

[Sarten-X]

You are not the only one, and that's sad.

While the comic has a pretty poor explanation, the theory is sound: A four-word phrase offers more options (and therefore more protection against a brute-force attack) than an 8-character password, for even a very small dictionary. In fact, the number of options is so drastically larger that it more than compensates for any alterations to the password, like adding numbers or misspelling.

Of course, the number of options is expanded even further when the password may not actually be a phrase. Maybe the password is really just a 30-digit section of pi. An attacker must try that (and every other number combination) too, so the brute-force strength of a long phrase password is still higher than a shorter random password.

For a comic, the strip is perfectly valid. A longer (though simpler) password is vastly stronger against brute-force attacks than a shorter one, even though the shorter one looks weirder.

Note, though, that the strip does not account for attacks other than brute-force, but phrases are still usually better. An attacker physically standing in your office will quickly recognize that a jumbled mess of letters and punctuation taped to your monitor is a password, but an obscure quote attributed to someone he's never heard of is just another office decoration. Even against phishing attacks or plaintext storage hacks, a long phrase is no less secure than a shorter password, since it's not the password that's being attacked.

Easy-stop on brute forcing

[Immerman]

Actually it's not that hard to "outsmart" brute-forcing - two simplistic ways are to insert a verification delay (artificial or computational depending on the situation) so that brute force attempts will generally takes months or years to succeed, or just block any attacker that makes multiple attempt faster than a human could reasonably be expected to. Even a really lax limit like blocking an attacking IP for a day after five failed attempts in a minute will block upwards of 90% of brute-force attempts and probably won't effect legitimate users at all.

Think of it as somewhat analogous to being the doorman at a speakeasy or illegal gamblng joint - you know, the guy in the movies that spends all night opening the tiny window and saying "Password?". It not exactly hard for him to tell when someone is just repeatedly knocking on the door and guessing wildly and politely ask him to leave while they still only have a few broken ribs.

Re:if they used a hash...?

[galaad2]

PS: the password field itself allows more than 16 chars, but if you enter more characters, when you try to login you get back a message telling you that the password is wrong. I can only login if i enter ONLY the first 16 chars.

Re:Slashdot has a limit to

[AK+Marc]

Often it's due to single sign on, and it has to work on 100 different legacy systems. But yes, I've been told one place to set my password to 6 alpha characters and 2 numbers. I have no idea what would or wouldn't work, and the combinations I tried matching the published rules didn't work, but adopting the 6+2 scheme generated a valid password. Because of the 60 day pwd expiration, and no repeats in the last 12 passwords, everyone does 6 alpha in lower case, and numbers 1-12, rotated. It is roughly as secure as just 6 chars and no numbers, but no, we have to have the numbers and the short-ish expiration. I am of the opinion that expiring passwords leads to less password re-use, but less password entropy as well. For where that tradeoff gets us for security, I have no idea.