Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hotmail No Longer Accepts Long Passwords, Shortens Them For You

timothy posted about 2 years ago | from the isn't-that-handy? dept.

Microsoft 497

An anonymous reader writes "Microsoft doesn't like long passwords. In fact, the software giant not only won't let you use a really long one in Hotmail, but the company recently started prompting users to only enter the first 16 characters of their password. Let me rephrase that: if you have a password that has more than 16 characters, it will no longer work. Microsoft is making your life easier! You no longer have to input your whole password! Just put in the first 16 characters!" At least they warn you; I've run into some sites over the years that silently drop characters after an arbitrary limit.

cancel ×

497 comments

Sorry! There are no comments related to the filter you selected.

16 x 5 bits = 80 BIT !! (5, Funny)

Anonymous Coward | about 2 years ago | (#41417011)

That's enough for hotmail !!

Re:16 x 5 bits = 80 BIT !! (3, Informative)

sexconker (1179573) | about 2 years ago | (#41417143)

Where in the hell do you get 5 bits from?
A-Za-z alone gets you past that (52), add in 0-9 and some symbols and you'll be well past 64 (2^6).

My KeePass database lists my Hotmail address's password as having 99 bits of entropy.

Hah! Take that, my bank! (2, Interesting)

Anonymous Coward | about 2 years ago | (#41417029)

12 letters, no special characters my ass.

No, you may not know which bank I use.

Re:Hah! Take that, my bank! (4, Interesting)

rwa2 (4391) | about 2 years ago | (#41417193)

At least they warn you; I've run into some sites over the years that silently drop characters after an arbitrary limit.

Nah, they'd never do that at a reputable large financial institution... like, say, www.americanexpress.com

Maybe they somehow figured out how to make money from handling fraud claims?

Re:Hah! Take that, my bank! (3, Interesting)

Anrego (830717) | about 2 years ago | (#41417487)

Stupid as this whole thing is, Microsoft does make one good point.

With the ease of phishing and harvesting passwords from other services where the user has used the same one.. who is gonna bother brute forcing a password.

It's like if your car has a notoriously easy to pick lock.. but you park in a parking lot where no one else even bothers locking theirs (and some have even had their doors removed for even more convenience..)

Re:Hah! Take that, my bank! (2)

Stan92057 (737634) | about 2 years ago | (#41417603)

How can brute force work on a web site sign in page? I would think banks code the site to stop brute force password input. im no programmer that's why i ask.

Re:Hah! Take that, my bank! (1)

Scarletdown (886459) | about 2 years ago | (#41417349)

12 letters, no special characters my ass.

No, you may not know which bank I use.

Sounds like Bank of America. At least they let you use a mix of upper and lower case and numbers.

Re:Hah! Take that, my bank! (1)

Frosty Piss (770223) | about 2 years ago | (#41417703)

Sounds like Bank of America. At least they let you use a mix of upper and lower case and numbers.

Really? My B of A password does indeed contain several "special" chars.

And frankly, 16 character length including numbers, CAPs, lowers, and specials in a random string - is quite enough for most normal password use.

I do have some 52 char random string passwords, but really, back to the main subject here, for Hotmail? Seriously, 16 chars is fine, if you use random strings.

Clearly (2, Informative)

Narnie (1349029) | about 2 years ago | (#41417031)

Somebody hasn't read the relevant xkcd.

Re:Clearly (3, Informative)

Anonymous Coward | about 2 years ago | (#41417175)

http://xkcd.com/936/

Re:Clearly (-1)

Anonymous Coward | about 2 years ago | (#41417221)

http://xkcd.com/7/ [xkcd.com] ?

Re:Clearly (-1)

Anonymous Coward | about 2 years ago | (#41417409)

What does the sketch "Girl just after the roofie" have to do with this conversation?

Re:Clearly (-1, Flamebait)

mikkelm (1000451) | about 2 years ago | (#41417287)

I seem to be the only one who thinks that this strip is complete bullshit. There are so many assumptions, and no accounting for variations.

Re:Clearly (4, Interesting)

UnknownSoldier (67820) | about 2 years ago | (#41417407)

I've posted about this in the past http://slashdot.org/comments.pl?sid=3001279&cid=40757735 [slashdot.org]

> Inconsistent password policies for length, characters and expiry date.

We _really_ need standards for passwords & passphrases: minimum LENGTH and SYMBOLS included.

If you site can't handles passwords / passphrases around ~ 96 characters long with the characters (space) 0x20 - 0x7E, your site is *broken*.

The same crap with usernames. Stop limiting me to a max username length of 12 characters A-Z,a-z because your shitty architect / programmer / DB guy doesn't have a clue about security.

I propose a multi-tiered system with a schema like:
            NAME#@%
            PASS#@%

Where
    # is the max length allowed * 16
    @ represents which glyphs are allowed to be. Higher is better, which each level including the characters from the previous set
A = A-Z (0x41-0x5A)
B = a-z (0x61-0x7A)
C = 0-9 (0x30-0x39)
D = space,!-/ (0x20-0x2F)
E = :-@ (0x3A-0x40)
F = [-` (0x5B-0x60)
G = {-~ (0x7B-0x7E)
% is the number of months the password is valid for.

Examples:
NAME1C0 is 16 characters, in range: A-Z,a-z,0-9, 0 = never expires
PASS6G3 is 6*16 = 96 characters, in range 0x20 .. 0x7E, expires in 3 months

Then we flame & shame the idiots, er sites, that use crappy username and password polices.

Maybe time for RFC ?

Re:Clearly (1)

tepples (727027) | about 2 years ago | (#41417705)

From the transcript: "(You can add a few more bits to account for the fact that this is only one of a few common formats.)" But three more bits for eight common formats pales in comparison to the 16 more bits that switching to a word-salad passphrase buys you.

AOL Used to.... (4, Interesting)

Anonymous Coward | about 2 years ago | (#41417041)

Along time ago I had a 10 character password that ended with some numbers for an AOL account. I fumbled the numbers at the end of the password once, aware of such, but hit login anyway and it still let me in. I tested and confirmed it not to care what numbers were at the end of the password. Later it was revealed that AOL was just making a Hash of the first 8 characters of the users password, so it really didn't matter what you entered past the 8th char because it would be trimmed before computing the hash....

Ummm, nothing new here.... (5, Informative)

Anonymous Coward | about 2 years ago | (#41417047)

Umm, TFA says that Hotmail has never accepted passwords longer than 16 characters - it used to silently truncate them. The only thing that's changed is that Hotmail is now letting you know that it's truncating the password.

Huh. (5, Informative)

jd (1658) | about 2 years ago | (#41417059)

Well, in the Bad Old Days, Unix passwords could only be 8 characters, later extended to 16. Less concerned with the original scheme, more with the fact that Microsoft may be using password algorithms from the 1980s.

Re:Huh. (0)

Anonymous Coward | about 2 years ago | (#41417205)

No idea why but the Linux machines at my college that we use remotely are configured like that. And when you enter a password longer than the original in the ssh it works.

Re:Huh. (1)

eamonman (567383) | about 2 years ago | (#41417309)

The main solaris server back in college was kind of like that. I had used 9 character PWs for most of college (I figured one more made it safer :P) , and it was only finally during senior year did I notice that that last character didn't matter. In fact, you could type in anything after the first 8 and it still worked (this led to me showing off that I could still log in after mashing the keyboard)

But yeah, I mean those were the wild wild west days where you telnet-ed in (ssh-ing came around later), ytalk wasn't blocked, and finger wasn't blocked either (hence many girls got creepy ytalk requests from the outside world).

Re:Huh. (1)

Darinbob (1142669) | about 2 years ago | (#41417633)

I definitely ran into a problem with this under an early BSD. Entered a longer password, entered it a second time, they matched, it was accepted. Then I could no longer log in the next day. Reset password and try again. Then the next day same problem. Eventually it was figured out and the admin patched a file and fixed it.

I think there was also a problem for awhile with user names where additional letters were ignored by some tools.

You need more than 16 char (-1)

Anonymous Coward | about 2 years ago | (#41417067)

If you're protecting against Sky-Net SAC-NORAD missile launches I can see it, otherwise it's overkill.

Re:You need more than 16 char (1)

sexconker (1179573) | about 2 years ago | (#41417181)

If you're protecting against Sky-Net SAC-NORAD missile launches I can see it, otherwise it's overkill.

Unfortunately you need a lot more when people listen to the terrible advice given out by terrible comics and start using passphrases consisting entirely of dictionary words. "incorrect equine cell affixer" becomes "incorrect equine" when truncated to 16 characters.

Re:You need more than 16 char (4, Informative)

ATMAvatar (648864) | about 2 years ago | (#41417377)

Even if you as an attacker know that the user chose 2 arbitrary words out of the English language as their password (or that only two mattered), and you knew there was a space between them, and you knew the login was case-insensitive, you still have to deal with the (minimum) 29,403,847,100 [oxforddictionaries.com] possible password phrases (171,476 common-use words times 171,475 unique second words, if we ignore word duplication and obsolete words). This also assumes, of course, that the password used correct spelling and did not in any way try to obfuscate the words with replacement schemes like l33t speak.

Tell me again why it is terrible advice to use phrases?

Re:You need more than 16 char (2)

godel_56 (1287256) | about 2 years ago | (#41417673)

Even if you as an attacker know that the user chose 2 arbitrary words out of the English language as their password (or that only two mattered), and you knew there was a space between them, and you knew the login was case-insensitive, you still have to deal with the (minimum) 29,403,847,100 [oxforddictionaries.com] possible password phrases (171,476 common-use words times 171,475 unique second words, if we ignore word duplication and obsolete words). This also assumes, of course, that the password used correct spelling and did not in any way try to obfuscate the words with replacement schemes like l33t speak.

Tell me again why it is terrible advice to use phrases?

And at 100 billion guesses a second, using multiple GPU cards in a custom setup, you can test all those password in about 0.3 seconds.

How were they storing the passwords before? (5, Informative)

halexists (2587109) | about 2 years ago | (#41417095)

RTFA and you learn that they've only been storing the first 16 characters for years, letting you type away in vain. Otherwise they'd have to produce new hashes for the "shorter" passwords that they expect users to use now. (There's no such thing as reading the first 16 digits of a hashed password).

Re:How were they storing the passwords before? (2, Interesting)

VTI9600 (1143169) | about 2 years ago | (#41417447)

From TFA:

[...] this can only mean one of two things, according to Kaspersky:

        Store full plaintext passwords in their database and then compare the first 16 chars only.
        Calculate the hash only on the first 16 and ignore the rest.

I’m fairly certain Microsoft isn’t stupid enough to go with the first option. Storing passwords in clear text would be a disaster,

I wouldn't doubt for a second that MS would go with the first option. They are, after all, competing with Yahoo [cnn.com] :-) Also, wasn't it Microsoft that came up with the oxymoronical term "reversible encryption"?

On the other hand, Hotmail was originally built on FreeBSD by non-MS types, so who knows? To this day I still find it amusing to think of all the difficulty they must have had porting the platform to Windows.

When this happens... (2)

rbprbp (2731083) | about 2 years ago | (#41417103)

Whenever I see any website that rejects passwords longer than X characters, I turn away and go somewhere else. My smallest password those days is 20 characters with numbers and special characters. I expect pretty much any decent website to accept those.

Re:When this happens... (1)

Anonymous Coward | about 2 years ago | (#41417161)

I used to have the same approach. However then I joined the shit hole ISP called internode in Australia, for something as important as your ISP password they don't even accept special characters.

Re:When this happens... (1)

notknown86 (1190215) | about 2 years ago | (#41417473)

Why?

Say the total number of characters upper case + lower case + numbers + special characters is somewhere around 80. And a password is, say, 10 characters on average.

Is someone really going to issue 10737418240000000000 requests to a publically exposed web server to break your password?

Or, even in the worst case - they manage to access the password hashes directly and don't need the requests to do it - aren't you basically fucked anyway? If they can access protected areas on a service you trust?

Re:When this happens... (5, Insightful)

Stiletto (12066) | about 2 years ago | (#41417641)

The question that should be asked is, "What's a 'Special Character' and why shouldn't it be allowed in a password?"

I had this argument with a developer the other day.

Him: "What characters should be allowed in this text field?"
Me: "Um, How about all of them, at least the printable ones."
Him: "What about special characters?"
Me: "Give me an example."
Him: "The ! sign"
Me: "What's so special about that? I can type it? I use it at the end of some sentences when I'm angry. Why would you not allow it?"
Him: "What about non-latin characters?"
Me: "What, are they special too?"
Him: "You need to specify a list of every character that is allowed in the text field, otherwise I cannot program it."
Me: [Facepalm]

etc..

There doesn't seem to be any compelling security reason to exclude certain characters from eligibility for use in a password.

Let's give this a shot (3, Funny)

Ol Biscuitbarrel (1859702) | about 2 years ago | (#41417127)

hunte

Re:Let's give this a shot (0)

Anonymous Coward | about 2 years ago | (#41417483)

Error: ***** is unacceptable. Password must contain both letters and numbers.

Dulls-ville night on /. (-1, Offtopic)

SternisheFan (2529412) | about 2 years ago | (#41417129)

With all the interesting stories slashdot users vote for waiting to be chosen, this and the last 4 or 5 are the lamest. I mean, the kindle isn't being sold at Walmart? Sheesh.

more crackable (0)

harvey the nerd (582806) | about 2 years ago | (#41417135)

Presumably someone from the NSA or IRS wants to know...

Re:more crackable (3, Insightful)

Pinhedd (1661735) | about 2 years ago | (#41417307)

Most website authentication systems use a hash to store passwords. The unhashed string is formed from a salt, some unchanging record information (such as the user's username, or date of registration), and the user's plaintext password. During the hashing process, all of this gets distilled down to a fixed length string regardless of the complexity of the password. Thus, a lengthy password is not necessarily more secure than a short but sufficiently complex password. Any site worth their salt (pun intended) will lock an account after a number of failed logins anyway. The majority of compromised accounts come from successful phishing and social engineering, not from randomly guessing passwords. Now, encryption on the other hand should use a very strong and long password.

Re:more crackable (0)

Anonymous Coward | about 2 years ago | (#41417401)

Presumably someone from the NSA or IRS wants to know...

Presumably the NSA or IRS is full of dumbshits then if that is their requirement.

Give it another 20 years...at that point you'll probably hear one of them say "Rainbow tables? No, never heard of them...they must be new, right?"

Hash???? (2)

NinePenny (856053) | about 2 years ago | (#41417141)

Hmm... Why wouldn't they just store a 16 char hash of whatever password you want?

Usually you only see this when someone is doing something wrong from a security standpoint.

Re:Hash???? (0, Offtopic)

tepples (727027) | about 2 years ago | (#41417545)

Because hash has been illegal since 1937 [wikipedia.org] , except for a 17-month period in 1969-1970.

So? (5, Insightful)

jd2112 (1535857) | about 2 years ago | (#41417145)

Who in their right mind would trust anything sensitive enough to require a 16 character password to Hotmail?

dario90 (0)

Anonymous Coward | about 2 years ago | (#41417155)

Security -- the microsoft fail of all life

The real news... (-1)

Anonymous Coward | about 2 years ago | (#41417159)

The real news here is: Microsoft always stores and always stored user passwords unhashed. At least you can't forget the salt then.

isn't this backwards (1)

lc_overlord (563906) | about 2 years ago | (#41417167)

I though you where supposed to enforce longer passwords instead
The math is clear, if a 8 character alphanumeric password takes a second to break then a 20 char password takes about 15.000.000.000.000 years to crack or 110 times the age of the universe.

Why have such short limits? (5, Interesting)

Paradigm_Complex (968558) | about 2 years ago | (#41417191)

As fun as it is to bash Microsoft, they're not the only ones who do this. Presumably there is some technical reason why this is done, but I am at a loss for what this would be. Would someone be able to explain to me the reason why such limits are put in place?

It seems with modern computer capability that absurdly long passwords would be trivial. The hashed password length would be the same irrelevant, so I can't see storage space as the issue. The only other idea which comes to my mind is the computational difficulty of hashing the passwords, but even that has to be trivial by today's standards, even with millions of users hitting the servers. Why not go overboard and just allow several kilobytes worth of password?

Re:Why have such short limits? (1)

Anonymous Coward | about 2 years ago | (#41417311)

There is no point storing a password that is longer than the hash as there is then multiple string that resolve to the same hash.

Re:Why have such short limits? (0)

Anonymous Coward | about 2 years ago | (#41417353)

You are assuming they hash the passwords at all. I hope they do, but wouldn't be that surprised if they didn't.

Re:Why have such short limits? (2)

Volanin (935080) | about 2 years ago | (#41417457)

Commenting here, as my finger slipped and I wrongly modded this as Troll. Gosh, I am a human, give me an option to remoderate my miskates, you silly slashdot!

Re:Why have such short limits? (1)

Anonymous Coward | about 2 years ago | (#41417491)

It makes even less sense when you consider that they should never be storing the actual password anyways, but instead they should be storing a salted hash of it. The original password length is irrelevant when they are only storing the hash, since all hashes will be the same lenght.

Re:Why have such short limits? (0)

Anonymous Coward | about 2 years ago | (#41417511)

I'm guessing they use MS SQL server in their backend...

Re:Why have such short limits? (0)

Anonymous Coward | about 2 years ago | (#41417583)

I believe it's legacy reasons. A long time ago, the data was read into a 16-byte buffer. Someone made the decision to truncate passwords instead of disallowing them. If they were to remedy the problem and expand the max allowed password size, everyone with an old "greater than 16 character" password would lose access to their accounts

Re:Why have such short limits? (5, Interesting)

bertok (226922) | about 2 years ago | (#41417591)

Every time I see any kind of password length limit somewhere, I instinctively know that somewhere behind the scenes there is this table column:

    user_password VARCHAR(16) NOT NULL

It's the same sinking feeling I get when I see the "the following special characters cannot be used in the password field" error message, which just tells me immediately that the code that submits the password field looks like:

    $cmd = "UPDATE ... user_password='" + $password + "' ... "

There really, really needs to be a "guild of programmers" or somesuch, along the lines of the Bar Association, so that anybody who writes code like the above can be summarily ejected from it.

Re:Why have such short limits? (0)

Anonymous Coward | about 2 years ago | (#41417635)

NVARCHAR(16)

Re:Why have such short limits? (1)

John Bokma (834313) | about 2 years ago | (#41417643)

I am afraid that would eject a large number of programmers (aka "programmers"). Wouldn't surprise me if this would eject 80%. But I am all for it.

Re:Why have such short limits? (1)

Darinbob (1142669) | about 2 years ago | (#41417657)

Because people don't think. That is all.

Seriously, the people who design the web UI front end and the people who save the data to the databases on the back end are not security experts. They probably just thought "ok, gotta reserve space for a field, I think 16 characters is enough" and that was the end of the thinking process.

Who cares? (-1, Troll)

Shavano (2541114) | about 2 years ago | (#41417197)

Seriously who THE FUCK cares?

Re:Who cares? (0, Insightful)

Anonymous Coward | about 2 years ago | (#41417369)

Seriously who THE FUCK cares?

Uh, the guy who wants to crack your password.

Don't give a shit what color hat he has on, this dumbass move is making his life a lot easier regardless.

So What? (0)

Anonymous Coward | about 2 years ago | (#41417201)

Quit using Hotmail. Problem solved.

could be worse (0)

Anonymous Coward | about 2 years ago | (#41417209)

Some very major sites are even more egregious -- take for example American Express, which limits passwords to 8 letters and numbers only, no special characters allowed. Even a decade ago that's like calling for a bodyguard and being sent an 8-year-old boy with a slingshot. Every month I think about closing that account for that reason alone.

Shortens password? (1)

nitehawk214 (222219) | about 2 years ago | (#41417211)

Does this mean they were storing the passwords in cleartext? In a real system they would simply be storing the hashes, shortening the password would cause it to create a different hash and not match.

Re:Shortens password? (1)

tepples (727027) | about 2 years ago | (#41417343)

Does this mean they were storing the passwords in cleartext? In a real system they would simply be storing the hashes

I'm under the impression that they hash it after chopping off everything after 16 characters. Perhaps it's easiest to express in PHP: $hash = sha1(substr($password, 0, 16));

Rainbow tables (0)

Anonymous Coward | about 2 years ago | (#41417233)

This allows your password to be revealed with minimal computing time. Sounds more like it is to assist law enforcement, than end users. Anyone choosing a password over 16 characters, obviously didn't want the help in the first place.

Re:Rainbow tables (1)

Kaz Kylheku (1484) | about 2 years ago | (#41417323)

Rainbow tables are used for attacking hashed passwords. They are a reverse dictionary of hashes back to plaintext passwords.

These hotmail passwords are obviously stored in clear text, otherwise how would they be able to just chop them at 16 characters?

(The only way would be if they had anticipated such a change way back when the hashes were generated, and they generated a 16 character hash along side a full hash, and so now they are just switching which hash they use.)

So if you gain access to Hotmail's password storage, you don't need any tables, you just read the passwords.

If you don't have access to the password storage, then having rainbow tables is moot. You're reduced to making login attempts by brute force.

Re:Rainbow tables (2)

djmurdoch (306849) | about 2 years ago | (#41417373)

(The only way would be if they had anticipated such a change way back when the hashes were generated, and they generated a 16 character hash along side a full hash, and so now they are just switching which hash they use.)

That's not the only way. Another way would be that they silently dropped all characters after the 16th, then formed a hash from what was left.

Re:Rainbow tables (0)

Anonymous Coward | about 2 years ago | (#41417535)

> That's not the only way. Another way would be that they silently dropped all characters after the 16th, then formed a hash from what was left.

But in order to do that, they had to have the original password in cleartext.

Re:Rainbow tables (0)

Anonymous Coward | about 2 years ago | (#41417655)

Yes but the argument is they would have needed to do that from the outset. There is no way to turn an already-hashed password into a hashed password of the shorter version. Take this simple example:
password is set to "password". The hash (md5sum) is 286755fad04869ca523320acce0dc6a4, and the word "password" is forgotton.

New policy, passwords are now only 4 characters. We need to figure out how to change 286755fad04869ca523320acce0dc6a4 into 4528e6a7bb9341c36c425faf40ef32c3, but the only way to come up with 4528e6a7bb9341c36c425faf40ef32c3 is to know that the first 4 characters were "pass" - which we don't know at this point in time (since we only saved 286755fad04869ca523320acce0dc6a4).

The only way to actually do this, would be as each user logs in successfully, take a new hash and store it along side the old hash, because at login time we have the plaintext and could re-hash the first N characters.

Re:Rainbow tables (1)

farble1670 (803356) | about 2 years ago | (#41417687)

These hotmail passwords are obviously stored in clear text, otherwise how would they be able to just chop them at 16 characters?

they've always been chopping them. they are chopped before they go into the hash function. they haven't changed anything, they are just now letting you know what they are doing.

Bank website... (0)

Anonymous Coward | about 2 years ago | (#41417237)

A banking website I used silently dropped special characters, perhaps to prevent injection attacks on their form. Reduced you to letter and numbers only.

Re:Bank website... (1)

True Vox (841523) | about 2 years ago | (#41417551)

Wow. That's one way to prevent that. I mean, it would have worked here [xkcd.com] , but I'm not sure it's the BEST way...

PASSWORDS NOT HASHED?!? (0)

Anonymous Coward | about 2 years ago | (#41417269)

So... it means Microsoft is not hashing passwords at all, because hashed passwords cannot be truncated (well, at least not without the user entering them the FULL password after the truncation system has been put in place)

Wow...

Re:PASSWORDS NOT HASHED?!? (1)

farble1670 (803356) | about 2 years ago | (#41417701)

it could mean that. but it could also mean they've always been truncating them from day one, and they are now just letting you know.

Ummm, no? (0)

Anonymous Coward | about 2 years ago | (#41417283)

I think this has been the case for many months, if not years. I don't think I'm mistaken, but I may be. I think if you entered a long password, only the first 16 characters were necessary to log into your account. Please correct me if I'm wrong.

The disturbing thing is: they must be cleartext! (-1, Troll)

Kaz Kylheku (1484) | about 2 years ago | (#41417285)

This reveals that they are storing the passwords in cleartext.

You cannot make such a change on hashed passwords!

If you chop only 16 characters, you will not compute the same hash as before.

Storing the passwords in cleartext means that if they are compromised, the passwords are available to the intruder without having to crack hashes.

Re:The disturbing thing is: they must be cleartext (2)

GodfatherofSoul (174979) | about 2 years ago | (#41417431)

They might have been only be passing the first 16 characters into the hash all along.

Re:The disturbing thing is: they must be cleartext (1)

darkfeline (1890882) | about 2 years ago | (#41417579)

In which case typing the full password would still work.

Re:The disturbing thing is: they must be cleartext (0)

Anonymous Coward | about 2 years ago | (#41417659)

Such a low ID, yet such lack of understanding. Mighty impressive.
Do yourself a favor, don't comment on anything security related anymore.

Re:The disturbing thing is: they must be cleartext (0)

Anonymous Coward | about 2 years ago | (#41417677)

Or, hotmail will delete your account if you dont log in for 360 days. Another option would be to re-hash the password as the user successfully logs in, and store two hashes. You would only need to do this for a maximum of a year, because after a year either everyone has logged in (and thus created the second hash) or their account has been deleted by the cleanup robot.

Slashdot has a limit to (1)

Robadob (1800074) | about 2 years ago | (#41417305)

Slashdot has a password length limit, iirc its 20. The input field for setting a password has a max length of 20 however the login field doesn't. So when i last changed my password i was confused for a short while till i realised that i hadn't read the password guidelines. To be honest i find that ~50% of websites that i try to use long passwords on are limited to around 20.

Re:Slashdot has a limit to (2)

Robadob (1800074) | about 2 years ago | (#41417533)

On the topic of weird password requirements, my university has the weirdest password requirements i have come across to date (i'm assuming its due to some software they must use);

Note that passwords must follow these rules:
* must be 6, 7 or 8 characters in length
* must contain at least one numeric digit
* must NOT start with a numeric digit
* must contain only lower-case alphabetic letters and numeric digits (that is no punctuation characters).
* the first three characters of your password must not be identical
* the first three characters of your password must not equal sap or pass
* the first three characters of your password and login name must not be the same

Fun with passwords (1)

WinstonWolfIT (1550079) | about 2 years ago | (#41417347)

Huh. Filter error: That's an awful long string of letters there. So spaces added.

Things one might never tire of hearing:

Ohmyitssolarge!
Itwasthebestoftimes Itwastheworstoftimes
Franklymydear Idontgiveadamn
Youplayeditforher youcanplayitforme
OnthewholeIwould ratherbeinPhiladelphia

Also, some obligatory links for your benefit:
http://xkcd.com/936/ [xkcd.com]
http://xkcd.com/792/ [xkcd.com]

Banks just as bad (3, Interesting)

Asmor (775910) | about 2 years ago | (#41417365)

TD Bank, my current bank, has the following password requirements:

6-32 characters, no spaces, alphanumeric + the following symbols only: [list of characters removed because /. thought it was spam; it was a fairly short list, though. Didn't even include an asterisk]

Additionally, back when I signed up for online banking with them, I filled in a bunch of garbage for the security questions because security questions are just an attack vector, and I don't forget my passwords (I highly recommend KeePass for managing passwords, it's amazing).

Anyways, a few years ago I went to log in and was prompted to answer a security question. Wtf? I had to call customer service to get my security questions reset. Now, if they don't recognize the device, or every so often, in addition to password you need to answer a security question.

This means that I'm forced to either give real answers that I'll remember (and that anyone else could figure out to hijack my account), bogus answers that I can try to memorize, or garbage that I write down and hang onto.

I also recall, around 10 years ago, I was using Bank of America and they had a limit of either 12 or 16 characters on your passwords.

Of course, my email, web hosting, and even my fucking World of Warcraft use actual two-factor authentication, with phone apps that generate codes that are only good for around 30 seconds, and outside of a man-in-the-middle attack they're practically bulletproof. Why the fuck can't my online banking be as secure as them?

Re:Banks just as bad (1)

Anonymous Coward | about 2 years ago | (#41417449)

This means that I'm forced to either give real answers that I'll remember (and that anyone else could figure out to hijack my account), bogus answers that I can try to memorize, or garbage that I write down and hang onto.

I just give the answer "43" to all security questions.

I figure, everybody would guess 42, but 43? Never!

Re:Banks just as bad (2)

DamnStupidElf (649844) | about 2 years ago | (#41417539)

The solution is fairly simple; keep extra random passwords in KeePass or whatever else you use, one for each security question.

1000 guesses per second assumption (1)

WinstonWolfIT (1550079) | about 2 years ago | (#41417383)

In cases where there's no physical access to the data, how does one get 1000 guesses per second? If my bank is going to lock my account after three incorrect guesses and if I keep a reasonable spread of account names and passwords, what's the actual risk of a 'weak' password actually being compromised? If I use a repeated account name and password on Facebook, what's the drama of someone guessing passwords at 50 per second?

At least... (1)

mschaffer (97223) | about 2 years ago | (#41417395)

At least you don't need to use your real name.

Ummmmm. Clear text storage?! (0)

Anonymous Coward | about 2 years ago | (#41417411)

For a shorter 16-char version of your password to work, this means Microsoft has most likely not been hashing your passwords, but storing them in clear-text. So that any length of your password string is identifiable...

Here's your chance, hack hotmail, and get a treasure chest of emails and passwords, and subsequent Bank password reset opportunities....

Re:Ummmmm. Clear text storage?! (2)

VTI9600 (1143169) | about 2 years ago | (#41417613)

Here's your chance, hack hotmail, and get a treasure chest of emails and passwords, and subsequent Bank password reset opportunities...

Thanks, but the real opportunity was back in 1999 when they limited your password to two characters [wikipedia.org] . Now those were some good times!

I generate my passwords (5, Interesting)

Anonymous Coward | about 2 years ago | (#41417415)

My password is thus: SHA1 HMAC( PW, domain + salt ) -- Output as Base64 (where + is concatenation). I use this method because I can recreate the password at any time from anywhere. I don't rely on anyone else's password systems, I just use this simple algorithm which I can implement on any machine with the simple cryptographic primitives (hashed message authentication code, and a hash). I get a different password for each site, while using the same password everywhere. I change the salt and/or main password every so often, and only have to remember the current and last PW as I migrate to the new password as I run into sites I use.

At first I created a table within the bookmarklette that would allow me to set additional rules for passwords, limit length, use a different set of characters for the base64 output -- The hash would be filtered on a per site basis to comply with all the bullshit. I could deal with such shortcomings five or ten years ago, but not today. Synchronizing the booklmarklette defeats the purpose of using a simple algorithm. If a site won't accept something like: NzE1YWViMGQwMjU3NWRlNmI3ZDQ0NTQ0NzI4MjE3MGU5YzRlMWY3NiAgLQo= as a password then I just don't use the service.

I'll never use any Microsoft products, so I'll have to rely on others to discover: I imagine MS would simply ignore characters beyond the new limit? If not it would surely break password entry systems like my own or even saved password mechanic in all browsers... Including IE. It wouldn't surprise me if MS did break password entry for long saved passwords -- Smart folks who are security aware aren't their target audience.

Just under the wire... (0)

Anonymous Coward | about 2 years ago | (#41417427)

So I won't have to change from "Suck it, Trebek!"

False value plus what the hash? (1)

EmperorOfCanada (1332175) | about 2 years ago | (#41417439)

This is the sort of MBA spreadsheet thinking that kills companies. I suspect that someone did an audit that showed the passwords taking up all this "Valuable" space or some other bizarre analysis. The tiny savings from having the shorter passwords will instantly be nullified the first major hack that comes along.

So MS is faced with one of three expensive situations:
They weren't hashing but storing my pass in some open or reversible format which when hacked will create a mega PR / liability problem or,

They are hashing and the truncated passwords won't work and they are going to blow off any customers who had long passwords which will tend to be the more technologically savvy who, as a group, are a bad idea to piss off as they are the types recommending technology to the masses. MS does not need to lose even more of the techno aware. or,

They are hashing which means a truncated pass won't work and they will then have tech support hand out access willy nilly resulting in the easiest social phishing in the history of the net. "I would like you to set the password for the account bgates@hotmail.com to 12345678. Your name sir? Billy Gates you fool, now hurry. Thank you sir your password has been reset to 12345678. I would like to spend 5 minutes asking you about your purchase plans for our new $10,000 tablet..."

Well that's no big deal (1)

kiriath (2670145) | about 2 years ago | (#41417453)

I'm sure most hotmail users are more worried about the minimum character limit rather than the maximum.

"My password can't be 'poop' anymore. How will I ever remember it?"

Two-factor or stay home. (1)

thesandtiger (819476) | about 2 years ago | (#41417507)

In this age of ubiquitous spyware and key loggers passwords are pointless. Two factor security or don't trust anything important to a system.

My passwords for things are simple, but I only trust important data to to factor. I just assume anything only password protected is compromised.

Re:Two-factor or stay home. (1)

darkfeline (1890882) | about 2 years ago | (#41417599)

No, passwords in fact work very well and are very secure given that everything is done properly, on both ends. "Everything is done properly." Yeah, I know, I laughed too. *bitter tears*

My new password..... (0)

Anonymous Coward | about 2 years ago | (#41417557)

My new hotmail password must be "correct horse ba".

WTF?! (1)

shentino (1139071) | about 2 years ago | (#41417565)

Could someone explain how this would be even possible to pull off in the first place unless our passwords were stored in plaintext?

Last time I checked, you couldn't truncate a password like this after it's already been hashed.

Microsoft, shame on you.

Watch out past self! (0)

Anonymous Coward | about 2 years ago | (#41417595)

Your email account in 1998 is now more vulnerable!

Seriously? (0)

holophrastic (221104) | about 2 years ago | (#41417663)

A website chooses not to store an infinite length password of yours, and that makes headline news on slashdot? seriously, that's a problem? Guys, it's free third-party e-mail. It's not your safe-deposit box.

Oh, and by the way, you can make the key to your safe-deposit box as long as you want, the lock will still only accept the first inch of it. Your girlfriend also won't accept more than 16 inches, by the way. Sometimes things are larger than capacity will allow.

Not to mention, we all know exactly why they won't take more than 16 characters. Any bets your password's simply hashed into a 16 byte string anyway? Congrats, on your 17 character password being converted into 16 anyway.

But hey, car doors and house doors with entry codes have 5 buttons each doubly-labelled. So 1 & 2 are on the same button. Making 11, 12, 21, and 22 the same double-press of the same button.

Complain harder. Maybe then things like this might matter. Right now they make absolutely no difference whatsoever.

MICROSOFT BRILLIANTLY ....S too peed.... (0)

Anonymous Coward | about 2 years ago | (#41417665)

MOST older people or just forgettful people will substitute a real sound "èò_bfR43" type of password with much longer but equally sound "IndianEtherodyneForest33LakehurstManor" which would just be a switch from a MACHINE sound uppercase, symbol etc password to a password a actual human is capable of associating with events or places he's sure not to forget... remeber we ARE made out of flesh after all.

Seems to me the usual pig headed faceless bureaucrat sort of decision made ba a techie with out ANY regads to human "haptics"...

But the first 16 characers of my password are (2)

nbauman (624611) | about 2 years ago | (#41417691)

0123456789ABCDEF

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>