Hotmail Limits Passwords to 16 Characters
Contributed by: Email on 09/21/2012 11:39 AM
[
Comments
]
Passwords, unfortunately, still are the main authentication mechanism on most Web sites, including all of the popular webmail services, such as Hotmail, Gmail and Yahoo Mail. Many sites encourage users to pick complex and long passwords, so it's surprising to see that Microsoft now has limited Hotmail passwords to no more than 16 characters. Even more surprising, however, is that Hotmail will accept the first 16 characters of an existing, longer password, indicating that the company may have been storing users' passwords in plaintext.
It's not clear when Microsoft made the change to limit the number of characters allowed in the passwords for Hotmail accounts. But security researchers who looked at the new requirement found the change odd, to say the least. Sixteen characters is a somewhat arbitrary limit, but the more interesting bit is why Microsoft chose to make the change at all.
The real question, however, is what the implications of the change are. As Costin Raiu, head of Kaspersky Lab's GReAT research team, wrote in an analysis of the issue, one possibility is that Microsoft has been truncating longer passwords to 16 characters all along and then hashing those first 16 characters. The other possibility is somewhat more troubling.
"My previous password has been around 30 chars in size and now, it doesnt work anymore. However, I could login by typing just the first 16 chars," he wrote.
"To pull this trick with older passwords, Microsoft had two choices:
* store full plaintext passwords in their db; compare the first 16 chars only
* calculate the hash only on the first 16; ignore the rest
Storing plaintext passwords for online services is a definite no-no in security. The other choice could mean that since its inception, Hotmail was silently using only the first 16 chars of the password. To be honest, Im not sure which one is worse."
Microsoft officials did not respond to questions on this issue.
In order to keep passwords safe from snooping, many Web sites run users' plaintext passwords through a hash function, which obscures them. Depending upon which hash function is being used, and what kind of computers is used to do the cracking, the length of time needed to crack a password hash can vary greatly.
It's not clear when Microsoft made the change to limit the number of characters allowed in the passwords for Hotmail accounts. But security researchers who looked at the new requirement found the change odd, to say the least. Sixteen characters is a somewhat arbitrary limit, but the more interesting bit is why Microsoft chose to make the change at all.
The real question, however, is what the implications of the change are. As Costin Raiu, head of Kaspersky Lab's GReAT research team, wrote in an analysis of the issue, one possibility is that Microsoft has been truncating longer passwords to 16 characters all along and then hashing those first 16 characters. The other possibility is somewhat more troubling.
"My previous password has been around 30 chars in size and now, it doesnt work anymore. However, I could login by typing just the first 16 chars," he wrote.
"To pull this trick with older passwords, Microsoft had two choices:
* store full plaintext passwords in their db; compare the first 16 chars only
* calculate the hash only on the first 16; ignore the rest
Storing plaintext passwords for online services is a definite no-no in security. The other choice could mean that since its inception, Hotmail was silently using only the first 16 chars of the password. To be honest, Im not sure which one is worse."
Microsoft officials did not respond to questions on this issue.
In order to keep passwords safe from snooping, many Web sites run users' plaintext passwords through a hash function, which obscures them. Depending upon which hash function is being used, and what kind of computers is used to do the cracking, the length of time needed to crack a password hash can vary greatly.
Comments
