Hotmail No Longer Accepts Long Passwords, Shortens Them For You 497
An anonymous reader writes "Microsoft doesn't like long passwords. In fact, the software giant not only won't let you use a really long one in Hotmail, but the company recently started prompting users to only enter the first 16 characters of their password. Let me rephrase that: if you have a password that has more than 16 characters, it will no longer work. Microsoft is making your life easier! You no longer have to input your whole password! Just put in the first 16 characters!" At least they warn you; I've run into some sites over the years that silently drop characters after an arbitrary limit.
Clearly (Score:2, Informative)
Somebody hasn't read the relevant xkcd.
Ummm, nothing new here.... (Score:5, Informative)
Umm, TFA says that Hotmail has never accepted passwords longer than 16 characters - it used to silently truncate them. The only thing that's changed is that Hotmail is now letting you know that it's truncating the password.
Huh. (Score:5, Informative)
Well, in the Bad Old Days, Unix passwords could only be 8 characters, later extended to 16. Less concerned with the original scheme, more with the fact that Microsoft may be using password algorithms from the 1980s.
How were they storing the passwords before? (Score:5, Informative)
Re:16 x 5 bits = 80 BIT !! (Score:2, Informative)
Where in the hell do you get 5 bits from?
A-Za-z alone gets you past that (52), add in 0-9 and some symbols and you'll be well past 64 (2^6).
My KeePass database lists my Hotmail address's password as having 99 bits of entropy.
Re:Clearly (Score:3, Informative)
http://xkcd.com/936/
Re:You need more than 16 char (Score:5, Informative)
Even if you as an attacker know that the user chose 2 arbitrary words out of the English language as their password (or that only two mattered), and you knew there was a space between them, and you knew the login was case-insensitive, you still have to deal with the (minimum) 29,403,847,100 [oxforddictionaries.com] possible password phrases (171,476 common-use words times 171,475 unique second words, if we ignore word duplication and obsolete words). This also assumes, of course, that the password used correct spelling and did not in any way try to obfuscate the words with replacement schemes like l33t speak.
Tell me again why it is terrible advice to use phrases?
Re:You need more than 16 char (Score:0, Informative)
2 random words used for simple passphrase
29,403,847,100^2 = 864,586,224,280,178,410,000 combinations
You must live in a fun world where 8.64E20/1E11 equals 0.3
Re:When this happens... (Score:4, Informative)
you open up the crypto library on your system as a potential attack vector.
If your crypto library cannot hash an arbitrarily-long string of arbitrary binary data, then it's a very bad crypto library. Or, more likely, you are using it stupidly.
Re:if they used a hash...? (Score:5, Informative)
We understand what he means, but if you did not read the update here you go
This doesn’t mean that your password has been shortened. Actually, Windows Live ID passwords were always limited to 16 characters—any additional password characters were ignored by the sign-in process. When we changed “Windows Live ID” to “Microsoft account,” we also updated the sign-in page to let you know that only the first 16 characters of your password are necessary. To avoid this error message in the future, you only need to enter the first 16 characters of your password.
Re:When this happens... (Score:4, Informative)
Look at an ASCII table sometime.
The first 0x20 characters, plus 0x7F, are "non-printable" or "control" characters, having no visual representation in any "standard" font, instead having some effect on the system - NUL, start-of-header, start-of-text, end-of-text, enquiry, acknowledge, bell, backspace, tab, line feed, vertical tab, form feed, carriage return, shift out, shift in, data link escape, device codes 1-4, and a few others I can't remember. The other 0x5F are "printable" - they actually show some character on the screen. That includes everything from space to ~, literally.
Those are official terms. ISO encodings and Unicode add more printing and non-printing characters, but they all have the same base. And I suppose EBCDIC has its own set of control characters, incompatible with ASCII et al (although if you're basing your password system on "what EBCIDIC allows", you fail on at least a dozen levels already).
Re:Hah! Take that, my bank! (Score:2, Informative)
And you expected anything better from MS? The same company who's flagship OS not only uses an unsalted hash for storing user passwords, but actually allows you to authenticate using just the hash without ever knowing the original plaintext, thus making the hash itself the plaintext password?