Hotmail: Your password was too long, so we fixed it for you

My previous password has been around 30 chars in size and now, it doesn’t work anymore. However, I could login by typing just the first 16 chars.

This limitation is well known (see Graham Cluley’s excellent post on the password limits of various services) however, what caught my attention was that by cutting the password to 16 chars, it would work.

To pull this trick with older passwords, Microsoft had two choices:

* store full plaintext passwords in their db; compare the first 16 chars only * calculate the hash only on the first 16; ignore the rest

Storing plaintext passwords for online services is a definite no-no in security. The other choice could mean that since its inception, Hotmail was silently using only the first 16 chars of the password.

To be honest, I’m not sure which one is worse.


Microsoft: Screwing up security and best-practices since, basically, ever!

I assume there’s nothing wrong with the water up there in Redmond, so why do MS keeps doing this kind of stupid things and just not giving an jota about security? Or Standards? Or just good engineering?

Another good example is this one:

@bphogan: Example of NIH: Microsoft PowerShell: “New-item foo.txt -type file” instead of ” touch foo.txt”

Microsoft could just have implemented some sort of POSIX compliant shell (( bash, zshell, and endless others )) all freely available, all standards compliant and all widely used in every other OS in the world. Instead they have to go and reinvent the wheel and do some half-baked effort, that probably is way more limited, way more insecure and always halfway but never there.

Update: To answer the original poster, apparently is the last one, MS has always only stored the first 16 characters of your password and simply ignored all the remaining ones.

Leave a Reply

Your email address will not be published. Required fields are marked *