Slashdot Mirror
Hotmail No Longer Accepts Long Passwords, Shortens Them For You
An anonymous reader writes "Microsoft doesn't like long passwords. In fact, the software giant not only won't let you use a really long one in Hotmail, but the company recently started prompting users to only enter the first 16 characters of their password. Let me rephrase that: if you have a password that has more than 16 characters, it will no longer work. Microsoft is making your life easier! You no longer have to input your whole password! Just put in the first 16 characters!" At least they warn you; I've run into some sites over the years that silently drop characters after an arbitrary limit.
That's enough for hotmail !!
Along time ago I had a 10 character password that ended with some numbers for an AOL account. I fumbled the numbers at the end of the password once, aware of such, but hit login anyway and it still let me in. I tested and confirmed it not to care what numbers were at the end of the password. Later it was revealed that AOL was just making a Hash of the first 8 characters of the users password, so it really didn't matter what you entered past the 8th char because it would be trimmed before computing the hash....
Umm, TFA says that Hotmail has never accepted passwords longer than 16 characters - it used to silently truncate them. The only thing that's changed is that Hotmail is now letting you know that it's truncating the password.
Well, in the Bad Old Days, Unix passwords could only be 8 characters, later extended to 16. Less concerned with the original scheme, more with the fact that Microsoft may be using password algorithms from the 1980s.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
RTFA and you learn that they've only been storing the first 16 characters for years, letting you type away in vain. Otherwise they'd have to produce new hashes for the "shorter" passwords that they expect users to use now. (There's no such thing as reading the first 16 digits of a hashed password).
Who in their right mind would trust anything sensitive enough to require a 16 character password to Hotmail?
Any insufficiently advanced magic is indistinguishable from technology.
As fun as it is to bash Microsoft, they're not the only ones who do this. Presumably there is some technical reason why this is done, but I am at a loss for what this would be. Would someone be able to explain to me the reason why such limits are put in place?
It seems with modern computer capability that absurdly long passwords would be trivial. The hashed password length would be the same irrelevant, so I can't see storage space as the issue. The only other idea which comes to my mind is the computational difficulty of hashing the passwords, but even that has to be trivial by today's standards, even with millions of users hitting the servers. Why not go overboard and just allow several kilobytes worth of password?
"A witty saying proves nothing." - Voltaire
At least they warn you; I've run into some sites over the years that silently drop characters after an arbitrary limit.
Nah, they'd never do that at a reputable large financial institution... like, say, www.americanexpress.com
Maybe they somehow figured out how to make money from handling fraud claims?
As opposed to the sign-up page at Phil's Hobby Shop, which pretty much advertises that it's 936-compliant.
Even if you as an attacker know that the user chose 2 arbitrary words out of the English language as their password (or that only two mattered), and you knew there was a space between them, and you knew the login was case-insensitive, you still have to deal with the (minimum) 29,403,847,100 possible password phrases (171,476 common-use words times 171,475 unique second words, if we ignore word duplication and obsolete words). This also assumes, of course, that the password used correct spelling and did not in any way try to obfuscate the words with replacement schemes like l33t speak.
Tell me again why it is terrible advice to use phrases?
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
I've posted about this in the past http://slashdot.org/comments.pl?sid=3001279&cid=40757735
My password is thus: SHA1 HMAC( PW, domain + salt ) -- Output as Base64 (where + is concatenation). I use this method because I can recreate the password at any time from anywhere. I don't rely on anyone else's password systems, I just use this simple algorithm which I can implement on any machine with the simple cryptographic primitives (hashed message authentication code, and a hash). I get a different password for each site, while using the same password everywhere. I change the salt and/or main password every so often, and only have to remember the current and last PW as I migrate to the new password as I run into sites I use.
At first I created a table within the bookmarklette that would allow me to set additional rules for passwords, limit length, use a different set of characters for the base64 output -- The hash would be filtered on a per site basis to comply with all the bullshit. I could deal with such shortcomings five or ten years ago, but not today. Synchronizing the booklmarklette defeats the purpose of using a simple algorithm. If a site won't accept something like: NzE1YWViMGQwMjU3NWRlNmI3ZDQ0NTQ0NzI4MjE3MGU5YzRlMWY3NiAgLQo= as a password then I just don't use the service.
I'll never use any Microsoft products, so I'll have to rely on others to discover: I imagine MS would simply ignore characters beyond the new limit? If not it would surely break password entry systems like my own or even saved password mechanic in all browsers... Including IE. It wouldn't surprise me if MS did break password entry for long saved passwords -- Smart folks who are security aware aren't their target audience.
The question that should be asked is, "What's a 'Special Character' and why shouldn't it be allowed in a password?"
I had this argument with a developer the other day.
Him: "What characters should be allowed in this text field?"
Me: "Um, How about all of them, at least the printable ones."
Him: "What about special characters?"
Me: "Give me an example."
Him: "The ! sign"
Me: "What's so special about that? I can type it? I use it at the end of some sentences when I'm angry. Why would you not allow it?"
Him: "What about non-latin characters?"
Me: "What, are they special too?"
Him: "You need to specify a list of every character that is allowed in the text field, otherwise I cannot program it."
Me: [Facepalm]
etc..
There doesn't seem to be any compelling security reason to exclude certain characters from eligibility for use in a password.
Him: "You need to specify a list of every character that is allowed in the text field, otherwise I cannot program it." Me: [Facepalm]
The developer is right. You are trying to enforce an ambiguous requirement. "All of them, at least the printable ones" is not specific. "Printable" assumes a font. In the symbol font (as found on Winders) there are a lot of "printable" characters that don't show up on a keyboard. Since they are mapped into the same binary values, how do you differentiate?
"My password has a an "upside down A" but you are accepting a double quote and letting me log in. It's broke!"
This is not a trivial issue. It appears that someone has had the same kind of conversation with some web developers regarding proper email addresses.
Him: "What characters should be allowed in an email address?"
Boss: "Anything that is in an email address."
Him: "Hmmm, ok, all I've ever seen are A-Za-z0-9.- and one '@'. That's what I'll code.
Me: "Hey, your website it broken, it doesn't accept valid email addresses! Don't you idiots bother to read the RFC for internet messaging when you program this stuff?"
Him: "It works fine with my address."
Me: "It's broken AND HERE IS HOW TO CHANGE THE JAVASCRIPT CODE TO FIX IT."
Him: "How did you get ahold of our proprietary javascript code?"
Do you see the problem?
> Nah, they'd never do that at a reputable large financial institution... like, say, www.americanexpress.com
Yeah. As you probably know, when you activate an AmEx corporate card, they require you to create a pin, and the voicemail says to use something you will remember, like the month/day of your mom's birthday.
The automated system will actually REJECT a pin that is not a valid month/day. (Well cool. 366 total possibilities. That's not easy to brute-force at all.) I futzed with the system until I got a real person, and insisted I wanted to use a randomly generated number instead (which didn't happen to be a valid month/day). He said he couldn't do that, it had to be a date. He asked me for my mom's birthday and said he would set it to that. (My theory is that they do this to cut down on service calls.) I pointed out that this string could be uncovered by anyone with facebook access. He said that this is what it had to be. I went over his head. Eventually I found someone with the authority to set the pin to a string of my choosing. As far as I know, I'm the only AmEx card holder who has a pin set to something other than the customer's mother's birthday.
This information (that AmEx has this requirement), could be of huge use to phishers were it ever, you know, published in a public forum.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
You are not the only one, and that's sad.
While the comic has a pretty poor explanation, the theory is sound: A four-word phrase offers more options (and therefore more protection against a brute-force attack) than an 8-character password, for even a very small dictionary. In fact, the number of options is so drastically larger that it more than compensates for any alterations to the password, like adding numbers or misspelling.
Of course, the number of options is expanded even further when the password may not actually be a phrase. Maybe the password is really just a 30-digit section of pi. An attacker must try that (and every other number combination) too, so the brute-force strength of a long phrase password is still higher than a shorter random password.
For a comic, the strip is perfectly valid. A longer (though simpler) password is vastly stronger against brute-force attacks than a shorter one, even though the shorter one looks weirder.
Note, though, that the strip does not account for attacks other than brute-force, but phrases are still usually better. An attacker physically standing in your office will quickly recognize that a jumbled mess of letters and punctuation taped to your monitor is a password, but an obscure quote attributed to someone he's never heard of is just another office decoration. Even against phishing attacks or plaintext storage hacks, a long phrase is no less secure than a shorter password, since it's not the password that's being attacked.
You do not have a moral or legal right to do absolutely anything you want.
The real question is how were they able to truncate your password if they used a hash?
americanexpress was the worst, the 'Set password' page input field was limited to the maximum number of characters however the 'Login' page was not.
So if my password is: 'myreallylongpassword', it would appear accept my password. But it would be only only use 'myreallylong' as input.
When I go to login and enter 'myreallylongpassword' it took the whole password as input and denied me access, since it didn't equal to 'myreallylong'.
I went through quite a few password resets before I figured this out.
Actually it's not that hard to "outsmart" brute-forcing - two simplistic ways are to insert a verification delay (artificial or computational depending on the situation) so that brute force attempts will generally takes months or years to succeed, or just block any attacker that makes multiple attempt faster than a human could reasonably be expected to. Even a really lax limit like blocking an attacking IP for a day after five failed attempts in a minute will block upwards of 90% of brute-force attempts and probably won't effect legitimate users at all.
Think of it as somewhat analogous to being the doorman at a speakeasy or illegal gamblng joint - you know, the guy in the movies that spends all night opening the tiny window and saying "Password?". It not exactly hard for him to tell when someone is just repeatedly knocking on the door and guessing wildly and politely ask him to leave while they still only have a few broken ribs.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
We understand what he means, but if you did not read the update here you go
This doesn’t mean that your password has been shortened. Actually, Windows Live ID passwords were always limited to 16 characters—any additional password characters were ignored by the sign-in process. When we changed “Windows Live ID” to “Microsoft account,” we also updated the sign-in page to let you know that only the first 16 characters of your password are necessary. To avoid this error message in the future, you only need to enter the first 16 characters of your password.
Exactly. The fact that they can do this practically screams "We haven't bothered to implement even the most basic security precautions on our password database!" I mean come on - wasn't it established that storing recoverable passwords was a bad idea back in the text-only mainframe days? I could kind of understand it if it was some backwater site created by a high-school computer wiz, but Microsoft? Sigh. Yeah *sure* I'll trust your security software to keep my home PC safe - after all you're the company that did such a great job on the OS itself that running separate security software is practically mandatory.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
The real question is how were they able to truncate your password if they used a hash?
Maybe they always truncated the password, just didn't tell you.
That's enough for hotmail !!
An AC makes a reasonable on topic first post with a more or less accurate entropy count (note that both sexconker and Immerman's posts are right; since most users will get a-z with first letter capitalized and a single numerical substiution you get about 26 variations per character + 2 bits for the substitution that gets you less than five bits per character; of course if you use a password safe then you can use A-Za-z1-9 + about 20 - 30 punctuation characters depending on your keyboard, for about 90 characters giving you just over six bits). The only possible explanation that it gets modded to zero immediately is that it's anti-Microsoft and the shills are out with their large number of mod points as ever.
Now, for the next trick. If you store passwords as a hash, as you are supposed to, then there is no way to shorten them since without the end of the password you won't be able to make the hash match. This means that at least somewhere Hotmail is storing passwords in plaintext. That's actually a much worse breach than having limited passwords since there is no way for the user to overcome it.
AC's post was excellently insightful. It should be modded back up to infinity.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
It's feasible that the first time you log in since this was introduced that if the password validates then it gets truncated and the has based on the first 16 characters is stored.
Once that's done any future password could be truncated to 16 and compared with the new hash based on the first 16...
That way you can safely transition from one for to another without passwords stored in plain text.