Microsoft Forcing Users to Use Less Secure Passwords

Tuesday, September 18, 2012

Dan Dieterle


I noticed something odd a while back when using Microsoft Live mail. When I typed in my legitimate password to my e-mail account I got this error message:

“If you have been using a password longer than 16 characters, please enter the first 16?”

Sure enough, I put in the first 16 characters of the password and I was in. So in effect, it looks like they just buzzed their password database and truncated all the passwords down to 16.

But that is not all.

This morning I went to login to my Microsoft mail and got the good old “It’s time to change your password” message.

No problem!

Well, yeah there was. I used several special characters and when I tried to use some of them, which were in my existing password, I received this message:


Okay, it looks like it accepted some of the special characters, but didn’t like others that I have used since I created the Hotmail Live account!

You have got to be kidding me…

What in the world is going on with Microsoft? Well, then I remembered, Windows 8 is being released and they want you to tie it in to a Microsoft account:

Sure you can use a different e-mail account, or even log in with a local password but they still want you to connect in to Microsoft account (Xbox, Live, etc.) for Windows 8′s other features:

And of course don’t forget the new Microsoft Marketplace…

The reason? Looks like Windows 8 is capped at a 16 character limit for compatibility with existing Microsoft Accounts.

But let’s check Microsoft’s FAQ for strong passwords:

Length. Make your passwords long with eight or more characters.”

Okay, we are good there, but what should I type? I need some examples…

Oh, thank you! That is so helpful!

Wait a minute… They are all over 16 characters long!!!

As length increases so does the cracking time. Passwords longer than 10 characters take an exponentially longer time to crack. So in all reality, 16 really shouldn’t be a problem. But all of my passwords are longer than that. And with the decrease of the character set, by limiting special characters for compatibility with Microsoft’s other services, the passwords are less secure than they were before.

It will be interesting to see if Microsoft changes this in the future.

It is cool though that Microsoft is trying to tie all their services together in the cloud, so that no matter where you log in, you will get a consistent look and feel, with all of your data available.

But hopefully we won’t get to many more of these:

Gotta love the cloud…

Cross-posted from Cyber Arms

Possibly Related Articles:
Information Security
Microsoft Passwords cracking Application Security Access Control Cloud Computing online safety
Post Rating I Like this!
Michael Johnson But..... why? If the passwords are being hashed, it shouldn't matter what the user sets, unless there's some really exotic character encoding going on. Unless Microsoft's servers can't handle the very basic hashing operation. They are hashing the passwords, aren't they?
Dan Dieterle Great questions Michael, I think the changes might have to do with the Xbox accounts and the existing Xbox keyboards (Not all the special characters are present).

To get all the systems and accounts to "play" together maybe they have reduced the passwords to the lowest existing policies.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.