Follow Slashdot stories on Twitter


Forgot your password?
Microsoft Security Privacy News Your Rights Online

Hotmail No Longer Accepts Long Passwords, Shortens Them For You 497

An anonymous reader writes "Microsoft doesn't like long passwords. In fact, the software giant not only won't let you use a really long one in Hotmail, but the company recently started prompting users to only enter the first 16 characters of their password. Let me rephrase that: if you have a password that has more than 16 characters, it will no longer work. Microsoft is making your life easier! You no longer have to input your whole password! Just put in the first 16 characters!" At least they warn you; I've run into some sites over the years that silently drop characters after an arbitrary limit.
This discussion has been archived. No new comments can be posted.

Hotmail No Longer Accepts Long Passwords, Shortens Them For You

Comments Filter:
  • Clearly (Score:2, Informative)

    by Narnie ( 1349029 ) on Friday September 21, 2012 @08:00PM (#41417031)

    Somebody hasn't read the relevant xkcd.

  • by Anonymous Coward on Friday September 21, 2012 @08:01PM (#41417047)

    Umm, TFA says that Hotmail has never accepted passwords longer than 16 characters - it used to silently truncate them. The only thing that's changed is that Hotmail is now letting you know that it's truncating the password.

  • Huh. (Score:5, Informative)

    by jd ( 1658 ) <> on Friday September 21, 2012 @08:02PM (#41417059) Homepage Journal

    Well, in the Bad Old Days, Unix passwords could only be 8 characters, later extended to 16. Less concerned with the original scheme, more with the fact that Microsoft may be using password algorithms from the 1980s.

  • by halexists ( 2587109 ) on Friday September 21, 2012 @08:04PM (#41417095)
    RTFA and you learn that they've only been storing the first 16 characters for years, letting you type away in vain. Otherwise they'd have to produce new hashes for the "shorter" passwords that they expect users to use now. (There's no such thing as reading the first 16 digits of a hashed password).
  • by sexconker ( 1179573 ) on Friday September 21, 2012 @08:08PM (#41417143)

    Where in the hell do you get 5 bits from?
    A-Za-z alone gets you past that (52), add in 0-9 and some symbols and you'll be well past 64 (2^6).

    My KeePass database lists my Hotmail address's password as having 99 bits of entropy.

  • Re:Clearly (Score:3, Informative)

    by Anonymous Coward on Friday September 21, 2012 @08:11PM (#41417175)

  • by ATMAvatar ( 648864 ) on Friday September 21, 2012 @08:32PM (#41417377) Journal

    Even if you as an attacker know that the user chose 2 arbitrary words out of the English language as their password (or that only two mattered), and you knew there was a space between them, and you knew the login was case-insensitive, you still have to deal with the (minimum) 29,403,847,100 [] possible password phrases (171,476 common-use words times 171,475 unique second words, if we ignore word duplication and obsolete words). This also assumes, of course, that the password used correct spelling and did not in any way try to obfuscate the words with replacement schemes like l33t speak.

    Tell me again why it is terrible advice to use phrases?

  • by Anonymous Coward on Friday September 21, 2012 @09:55PM (#41417983)
    29,403,847,100 possible words
    2 random words used for simple passphrase

    29,403,847,100^2 = 864,586,224,280,178,410,000 combinations

    You must live in a fun world where 8.64E20/1E11 equals 0.3
  • by blueg3 ( 192743 ) on Friday September 21, 2012 @10:34PM (#41418277)

    you open up the crypto library on your system as a potential attack vector.

    If your crypto library cannot hash an arbitrarily-long string of arbitrary binary data, then it's a very bad crypto library. Or, more likely, you are using it stupidly.

  • by amiller2571 ( 2571883 ) on Friday September 21, 2012 @11:09PM (#41418467) Homepage

    We understand what he means, but if you did not read the update here you go

    This doesn’t mean that your password has been shortened. Actually, Windows Live ID passwords were always limited to 16 characters—any additional password characters were ignored by the sign-in process. When we changed “Windows Live ID” to “Microsoft account,” we also updated the sign-in page to let you know that only the first 16 characters of your password are necessary. To avoid this error message in the future, you only need to enter the first 16 characters of your password.

  • by gman003 ( 1693318 ) on Friday September 21, 2012 @11:54PM (#41418657)

    Look at an ASCII table sometime.

    The first 0x20 characters, plus 0x7F, are "non-printable" or "control" characters, having no visual representation in any "standard" font, instead having some effect on the system - NUL, start-of-header, start-of-text, end-of-text, enquiry, acknowledge, bell, backspace, tab, line feed, vertical tab, form feed, carriage return, shift out, shift in, data link escape, device codes 1-4, and a few others I can't remember. The other 0x5F are "printable" - they actually show some character on the screen. That includes everything from space to ~, literally.

    Those are official terms. ISO encodings and Unicode add more printing and non-printing characters, but they all have the same base. And I suppose EBCDIC has its own set of control characters, incompatible with ASCII et al (although if you're basing your password system on "what EBCIDIC allows", you fail on at least a dozen levels already).

  • by Bert64 ( 520050 ) <bert&slashdot,firenzee,com> on Saturday September 22, 2012 @01:58AM (#41419069) Homepage

    And you expected anything better from MS? The same company who's flagship OS not only uses an unsalted hash for storing user passwords, but actually allows you to authenticate using just the hash without ever knowing the original plaintext, thus making the hash itself the plaintext password?

As of next Tuesday, C will be flushed in favor of COBOL. Please update your programs.