Microsoft Forcing Users to Use Less Secure Passwords

Tuesday, September 18, 2012

Contributed By:
Dan Dieterle

I noticed something odd a while back when using Microsoft Live mail. When I typed in my legitimate password to my e-mail account I got this error message:

“If you have been using a password longer than 16 characters, please enter the first 16?”

Sure enough, I put in the first 16 characters of the password and I was in. So in effect, it looks like they just buzzed their password database and truncated all the passwords down to 16.

But that is not all.

This morning I went to login to my Microsoft mail and got the good old “It’s time to change your password” message.

No problem!

Well, yeah there was. I used several special characters and when I tried to use some of them, which were in my existing password, I received this message:

WHAT???

Okay, it looks like it accepted some of the special characters, but didn’t like others that I have used since I created the Hotmail Live account!

You have got to be kidding me…

What in the world is going on with Microsoft? Well, then I remembered, Windows 8 is being released and they want you to tie it in to a Microsoft account:

Sure you can use a different e-mail account, or even log in with a local password but they still want you to connect in to Microsoft account (Xbox, Live, etc.) for Windows 8′s other features:

And of course don’t forget the new Microsoft Marketplace…

The reason? Looks like Windows 8 is capped at a 16 character limit for compatibility with existing Microsoft Accounts.

But let’s check Microsoft’s FAQ for strong passwords:

“Length. Make your passwords long with eight or more characters.”

Okay, we are good there, but what should I type? I need some examples…

Oh, thank you! That is so helpful!

Wait a minute… They are all over 16 characters long!!!

As length increases so does the cracking time. Passwords longer than 10 characters take an exponentially longer time to crack. So in all reality, 16 really shouldn’t be a problem. But all of my passwords are longer than that. And with the decrease of the character set, by limiting special characters for compatibility with Microsoft’s other services, the passwords are less secure than they were before.

It will be interesting to see if Microsoft changes this in the future.

It is cool though that Microsoft is trying to tie all their services together in the cloud, so that no matter where you log in, you will get a consistent look and feel, with all of your data available.

But hopefully we won’t get to many more of these:

Gotta love the cloud…

Cross-posted from Cyber Arms

Share This! |

Views:	4194
Categories:	Vulnerabilities
Industries:	Information Security
Tags:	Microsoft Passwords cracking Application Security Access Control Cloud Computing online safety

Post Rating I Like this!

Comments:

Michael Johnson But..... why? If the passwords are being hashed, it shouldn't matter what the user sets, unless there's some really exotic character encoding going on. Unless Microsoft's servers can't handle the very basic hashing operation. They are hashing the passwords, aren't they?

1348146861

Dan Dieterle Great questions Michael, I think the changes might have to do with the Xbox accounts and the existing Xbox keyboards (Not all the special characters are present).

To get all the systems and accounts to "play" together maybe they have reduced the passwords to the lowest existing policies.

1348181829

You Must Register or Login to Comment

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked

Latest Member Comments

"I thought this article discuss a very important issue of security.If we have well developed technology in one particular field then we ..."

Mobile Security Processes Could Be Applied t... Johnnie Nix on 05-21-2013

"ATM machine are for our convenience but if we are not careful they can compromise our safety. Discount theater tickets "

ATM Security (And Really Learning from the P... Johnnie Nix on 05-21-2013

"A expressive case study is used to explore causation in order to find underlying principles. Case studies may be prospective in which c..."

New Study Published on Mobile Malware... Caitlin Rachel on 05-21-2013

"In the social sciences and life sciences a case study or case report is a descriptive or descriptive analysis of a someone, group or ev..."

Case Study: A Cloud Security Assessment... Caitlin Rachel on 05-21-2013