Secret Microsoft Policy Limited Hotmail Passwords to 16 Characters
By: Dan Goodin, Ars Technica
For years, Microsoft engineers have quietly limited Hotmail passwords
to 16 characters, a revelation that has surprised and concerned some
users who have long entered passcodes twice that long to access
One such user is Costin Raiu, the director of the global research and
analysis team at antivirus provider Kaspersky Lab. On Friday he
reported receiving a new error message
when he entered the same 30-character passcode he long used on the
Microsoft site. When he typed in the first 16 characters, as the error
message directed him to do, he was able to access his account just fine.
The change concerned Raiu, because it meant that for years his Hotmail
account hadn't been as secure as he was led to believe.
"To pull off this trick with older passwords, Microsoft has two
choices," he wrote. Choice one: "Store full plaintext passwords in their
[database]; compare the first 16 [characters] only." Choice two:
"Calculate the hash only on the first 16; ignore the rest."