For years, Microsoft has been secretly limiting online passwords to 16 characters — despite leading users to believe otherwiseSeptember 24, 2012 2 Email article | Print article
When you register for a new Outlook.com e-mail address, you are told your password can be a maximum of sixteen characters. While there are, of course, security implications with limiting passwords to sixteen characters, what is worse is how Microsoft has been lying to us for years.
You see while Outlook.com tells you that your password can only be sixteen or less characters long, Hotmail allowed users to enter significantly longer passwords. The kicker is Hotmail only used the first sixteen digits of a password to authenticate an account; so even if you had, say, a twenty-five character password, your password for Hotmail was really only the first sixteen digits of those twenty-five characters. And since Microsoft linked Hotmail accounts to its other services through Windows Live, most of its other online services behaved the same way. Confused? Let me explain by example.
Let’s say your Hotmail password was 20-character long password. Whenever you would go to Hotmail, it seemed like typing in your twenty character password would allow you access to your account, but what actually happened is Hotmail discarded all characters after sixteen and only used the first sixteen digits of your 20-character password as the password for your account. So despite you thinking your account is protected by the strength of twenty characters, it was (is) only protected by the strength of sixteen characters.
A response by a Microsoft spokesperson to this discovery is proclaiming “sixteen characters has been the limit for years now” and claiming that Microsoft research backs up their password policy:
Please note our research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways. However, while we agree that in general longer is better, we’ve found the vast majority of attacks are through phishing, malware infected machines, and the reuse of passwords on third-party sites—none of which are helped by very long passwords.
While the spokesperson didn’t specify why exactly Microsoft didn’t allow longer passwords, Eric Doerr, Microsoft program manager for Microsoft accounts, hinted in a blog post back in July that the reason Microsoft limits passwords to sixteen characters is because of compatibility with other Microsoft services:
Password length—we are working on increasing this. Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it’s a bigger change than it should be and takes longer to get to market.
Obviously, as I mentioned above, there are security implications to limiting passwords to sixteen characters… especially when rivals such as Gmail and Yahoo allow for longer passwords, 200-character and 32-character passwords respectively. In defense of Microsoft, however, 16-character passwords might be long enough to protect against brute-force attacks. As ArsTechnica points out, if Microsoft uses secure hash algorithms to store passwords (such as SHA512crypt), hackers will hit an “exponential wall” for passwords longer than eight characters — making it extremely hard (nearly impossible) to brute-force passwords.
That being said, the major issue here isn’t that Microsoft limits passwords to sixteen characters. The major issue is Microsoft has quite literally been lying to users for years about the length of their passwords. I’m surprised they have gotten away with it for now. Class action lawsuit coming in 5… 4… 3…