I noticed something odd a while back when using Microsoft Live mail. When I typed in my legitimate password to my e-mail account I got this error message:
“If you have been using a password longer than 16 characters, please enter the first 16?”
Sure enough, I put in the first 16 characters of the password and I was in. So in effect, it looks like they just buzzed their password database and truncated all the passwords down to 16.
But that is not all.
This morning I went to login to my Microsoft mail and got the good old “It’s time to change your password” message.
Well, yeah there was. I used several special characters and when I tried to use some of them, which were in my existing password, I received this message:
Okay, it looks like it accepted some of the special characters, but didn’t like others that I have used since I created the Hotmail Live account!
You have got to be kidding me…
What in the world is going on with Microsoft? Well, then I remembered, Windows 8 is being released and they want you to tie it in to a Microsoft account:
Sure you can use a different e-mail account, or even log in with a local password but they still want you to connect in to Microsoft account (Xbox, Live, etc.) for Windows 8′s other features:
And of course don’t forget the new Microsoft Marketplace…
The reason? Looks like Windows 8 is capped at a 16 character limit for compatibility with existing Microsoft Accounts.
But let’s check Microsoft’s FAQ for strong passwords:
“Length. Make your passwords long with eight or more characters.”
Okay, we are good there, but what should I type? I need some examples…
Oh, thank you! That is so helpful!
Wait a minute… They are all over 16 characters long!!!
As length increases so does the cracking time. Passwords longer than 10 characters take an exponentially longer time to crack. So in all reality, 16 really shouldn’t be a problem. But all of my passwords are longer than that. And with the decrease of the character set, by limiting special characters for compatibility with Microsoft’s other services, the passwords are less secure than they were before.
It will be interesting to see if Microsoft changes this in the future.
It is cool though that Microsoft is trying to tie all their services together in the cloud, so that no matter where you log in, you will get a consistent look and feel, with all of your data available.
But hopefully we won’t get to many more of these:
Gotta love the cloud…
Cross-posted from Cyber Arms