Microsoft doesn’t like it if you use long passwords in Hotmail. In fact, the software giant won’t let you use a really long one anymore, and recently started prompting users to only enter the first 16 characters of their password.
As you can see in the screenshot above, courtesy of Kaspersky’s Securelist, this new policy appears to apply to all Microsoft accounts, not just those limited to Hotmail. Here’s the full text:
Microsoft account passwords contain up to 16 characters. If you’ve been using a password that has more than 16 characters, enter the first 16.
Let me rephrase that: if you have a password that has more than 16 characters, it will no longer work. Microsoft is making your life easier! You no longer have to input your whole password! Just put in the first 16 characters!
This is ridiculous. It might not seem like a big deal to you as you probably don’t have such a long password, but the issue goes deeper. If Microsoft is suddenly only accepting the first 16 characters of long passwords, this can only mean one of two things, according to Kaspersky:
- Store full plaintext passwords in their database and then compare the first 16 chars only.
- Calculate the hash only on the first 16 and ignore the rest.
I’m fairly certain Microsoft isn’t stupid enough to go with the first option. Storing passwords in clear text would be a disaster, and given that we’re talking about Hotmail, hackers would have already taken advantage a long time ago.
The second option is also pretty crazy though, as Kaspersky notes: “The other choice could mean that since its inception, Hotmail was silently using only the first 16 chars of the password.” That would those who have been using long passwords in Hotmail for years were only ever as secure as the first 16 characters of their password.
I think there could be a third possibility; Microsoft may have stored multiple versions of the same password. In this case, there would be at least two that we know of: one short and one long. This isn’t as farfetched as you might think; other companies store multiple versions of the same password too (like Facebook).
I have contacted Microsoft about this issue. I will update you if and when I hear back.
Source: http://thenextweb.com
No comments:
Post a Comment