Microsoft doesn’t like long passwords. In fact, the software giant not only won’t let you use a really long one in Hotmail, but the company recently started prompting users to only enter the first 16 characters of their password.
New York, are you ready?
We’re building Momentum: an all killer, no filler event this November.
As you can see in the screenshot above, courtesy of Kaspersky’s Securelist, this new policy appears to apply to all Microsoft accounts, not just those limited to Hotmail. Here’s the full text:
Microsoft account passwords contain up to 16 characters. If you’ve been using a password that has more than 16 characters, enter the first 16.
Let me rephrase that: if you have a password that has more than 16 characters, it will no longer work. Microsoft is making your life easier! You no longer have to input your whole password! Just put in the first 16 characters!
When Outlook.com launched some two months ago, it limited passwords to 16 characters in length. Sophos posted an excellent password length comparison between Outlook.com (16 characters), Yahoo (32 characters), and Gmail (200+ characters). Today’s story is about Microsoft apparently limiting Hotmail password lengths from their previous to length, to no loner than 16 characters.
This is ridiculous. It might not seem like a big deal to you as you probably don’t have such a long password, but the issue goes deeper. If Microsoft is suddenly only accepting the first 16 characters of long passwords, this can only mean one of two things, according to Kaspersky:
- Store full plaintext passwords in their database and then compare the first 16 chars only.
- Calculate the hash only on the first 16 and ignore the rest.
I’m fairly certain Microsoft isn’t stupid enough to go with the first option. Storing passwords in clear text would be a disaster, and given that we’re talking about Hotmail, hackers would have already taken advantage a long time ago.
The second option is also pretty crazy though, as Kaspersky’s Costin Raiu notes: “The other choice could mean that since its inception, Hotmail was silently using only the first 16 chars of the password.” That would those who have been using long passwords in Hotmail for years were only ever as secure as the first 16 characters of their password.
I think there could be a third possibility; Microsoft may have stored multiple versions of the same password. In this case, there would be at least two that we know of: one short and one long. This isn’t as farfetched as you might think; other companies store multiple versions of the same password too (like Facebook).
I have contacted Microsoft about this issue. I will update you if and when I hear back.
Update at 5:10PM EST: As Paulo Higa points out on Twitter, Microsoft has always limited its passwords to 16 characters. Here’s what the company says in a help document titled “Why can’t my Microsoft account password have more than 16 characters?:”
This doesn’t mean that your password has been shortened. Actually, Windows Live ID passwords were always limited to 16 characters—any additional password characters were ignored by the sign-in process. When we changed “Windows Live ID” to “Microsoft account,” we also updated the sign-in page to let you know that only the first 16 characters of your password are necessary. To avoid this error message in the future, you only need to enter the first 16 characters of your password.
This would suggest that around two months ago, when Microsoft switched from Windows Live accounts to Microsoft accounts, the company also started denying access to anyone still using their full password of more than 16 characters. It’s 16 characters or less, regardless of what your password was before. I’m still waiting to here back from Microsoft to confirm.
Update at 7:00PM EST: Microsoft has sent a statement. Here it is in full:
Please note our research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways; however, while we agree that in general longer is better, we’ve found the vast majority of attacks are through phishing, malware infected machines and the reuse of passwords on third-party sites – none of which are helped by very long passwords. Sixteen characters has been the limit for years now. We will always prioritize the protection needs of users’ accounts and we will continue to monitor the new ways hijackers and spammers attempt to compromise accounts, and we design innovative features based on this. At this time, we encourage customers to frequently reset their Microsoft account passwords and use unique passwords that are different from other services.
In other words, nothing we didn’t already know. It looks like the 16-character limit is here to stay.
Image credit: stock.xchng