11

Possible Duplicate:
Should I have a maximum password length?

According to a recent TNW article:

Microsoft doesn’t like long passwords. In fact, the software giant not only won’t let you use a really long one in Hotmail, but the company recently started prompting users to only enter the first 16 characters of their password.

This practice seems counter-productive.

Would they have made this decision based on a limitation or particular behaviour of their hashing algorithm?

Community
  • 1
msanford
  • 817
  • 1
  • 9
  • 26
  • 5
    ... also Microsoft isn't a good security role model. – rook Sep 23 '12 at 20:11
  • 1
    @Rook - You make that statement based on what exactly? – Ramhound Sep 24 '12 at 12:48
  • 2
    @Ramhound The fact that they limit passwords to 16 characters long. – Dan Feb 26 '15 at 20:48
  • @Dan - My password longer then 16 characters disagrees. – Ramhound Feb 26 '15 at 23:59
  • 2
    @Ramhound I tried to sign up this morning at https://signup.live.com and it explicitly states: "Your password can't be longer than 16 characters." Try logging in with only the first 16 characters of your password, I bet it will work. – Dan Feb 27 '15 at 05:18

1 Answers1

6

Purely legacy reasons. They are working to increase it.

From: http://windowsteamblog.com/windows_live/b/windowslive/archive/2012/07/15/keeping-your-microsoft-account-more-secure.aspx (see comment made by Eric Doerr in response to @MondayBlues):

Password length - We are working on increasing this. Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it's a bigger change than it should be and takes longer to get to market. It's also worth noting that the vast majority of compromised accounts are through malware and phishing. The small fraction of brute force is primarily common passwords like "123456" not due to a lack of complexity.

Eric Fleischman
  • 522
  • 3
  • 3
  • The first sentence is the answer I was looking for! Thanks. (I didn't consider my question a duplicate because I wasn't asking a theoretical question about a planned system, as the linked one does, but a practical question about one that already exists.) – msanford Sep 24 '12 at 14:19
  • 1
    I agree, disagree with moderators...not a duplicate to me. – Eric Fleischman Sep 24 '12 at 14:22
  • @EricFleischman Could you paste a quote of the relevant parts in here, so the answer will remain valid even if the link dies? – Iszi Sep 24 '12 at 15:46
  • @lszi: paste complete – Eric Fleischman Sep 24 '12 at 15:52