Hotmail No Longer Accepts Long Passwords, Shortens Them For You

An anonymous reader writes "Microsoft doesn't like long passwords. In fact, the software giant not only won't let you use a really long one in Hotmail, but the company recently started prompting users to only enter the first 16 characters of their password. Let me rephrase that: if you have a password that has more than 16 characters, it will no longer work. Microsoft is making your life easier! You no longer have to input your whole password! Just put in the first 16 characters!" At least they warn you; I've run into some sites over the years that silently drop characters after an arbitrary limit.

Why have such short limits?

[Paradigm_Complex]

As fun as it is to bash Microsoft, they're not the only ones who do this. Presumably there is some technical reason why this is done, but I am at a loss for what this would be. Would someone be able to explain to me the reason why such limits are put in place?

It seems with modern computer capability that absurdly long passwords would be trivial. The hashed password length would be the same irrelevant, so I can't see storage space as the issue. The only other idea which comes to my mind is the computational difficulty of hashing the passwords, but even that has to be trivial by today's standards, even with millions of users hitting the servers. Why not go overboard and just allow several kilobytes worth of password?

Re:Why have such short limits?

[bertok]

Every time I see any kind of password length limit somewhere, I instinctively know that somewhere behind the scenes there is this table column:

    user_password VARCHAR(16) NOT NULL

It's the same sinking feeling I get when I see the "the following special characters cannot be used in the password field" error message, which just tells me immediately that the code that submits the password field looks like:

    $cmd = "UPDATE ... user_password='" + $password + "' ... "

There really, really needs to be a "guild of programmers" or somesuch, along the lines of the Bar Association, so that anybody who writes code like the above can be summarily ejected from it.

I generate my passwords

My password is thus: SHA1 HMAC( PW, domain + salt ) -- Output as Base64 (where + is concatenation). I use this method because I can recreate the password at any time from anywhere. I don't rely on anyone else's password systems, I just use this simple algorithm which I can implement on any machine with the simple cryptographic primitives (hashed message authentication code, and a hash). I get a different password for each site, while using the same password everywhere. I change the salt and/or main password every so often, and only have to remember the current and last PW as I migrate to the new password as I run into sites I use.

At first I created a table within the bookmarklette that would allow me to set additional rules for passwords, limit length, use a different set of characters for the base64 output -- The hash would be filtered on a per site basis to comply with all the bullshit. I could deal with such shortcomings five or ten years ago, but not today. Synchronizing the booklmarklette defeats the purpose of using a simple algorithm. If a site won't accept something like: NzE1YWViMGQwMjU3NWRlNmI3ZDQ0NTQ0NzI4MjE3MGU5YzRlMWY3NiAgLQo= as a password then I just don't use the service.

I'll never use any Microsoft products, so I'll have to rely on others to discover: I imagine MS would simply ignore characters beyond the new limit? If not it would surely break password entry systems like my own or even saved password mechanic in all browsers... Including IE. It wouldn't surprise me if MS did break password entry for long saved passwords -- Smart folks who are security aware aren't their target audience.

Re:Hah! Take that, my bank!

[roc97007]

> Nah, they'd never do that at a reputable large financial institution... like, say, www.americanexpress.com

Yeah. As you probably know, when you activate an AmEx corporate card, they require you to create a pin, and the voicemail says to use something you will remember, like the month/day of your mom's birthday.

The automated system will actually REJECT a pin that is not a valid month/day. (Well cool. 366 total possibilities. That's not easy to brute-force at all.) I futzed with the system until I got a real person, and insisted I wanted to use a randomly generated number instead (which didn't happen to be a valid month/day). He said he couldn't do that, it had to be a date. He asked me for my mom's birthday and said he would set it to that. (My theory is that they do this to cut down on service calls.) I pointed out that this string could be uncovered by anyone with facebook access. He said that this is what it had to be. I went over his head. Eventually I found someone with the authority to set the pin to a string of my choosing. As far as I know, I'm the only AmEx card holder who has a pin set to something other than the customer's mother's birthday.

This information (that AmEx has this requirement), could be of huge use to phishers were it ever, you know, published in a public forum.