BYOD Security: Microsoft Hotmail Passwords Must Be 16 Characters Or Less.

It’s being reported that Hotmail, Microsoft’s free on-line email service, is alerting users that account passwords can “contain up to 16 characters.”  Common sense tells us that this is not necessarily the most secure practice in the world.  In fact, when it comes to portable device security, such as protecting a smartphone that is part of a BYOD initiative, such artificial limits are a bad idea.

But, that’s not necessarily the case for everyrhing, according to the blue chip company.  Microsoft is justifying its position by noting that password uniqueness is more important than length.

It’s Always Been that Way

Folks over at commented on the story :

This is ridiculous. It might not seem like a big deal to you as you probably don’t have such a long password, but the issue goes deeper. If Microsoft is suddenly only accepting the first 16 characters of long passwords, this can only mean one of two things, according to Kaspersky:

  • Store full plaintext passwords in their database and then compare the first 16 chars only.

  • Calculate the hash only on the first 16 and ignore the rest.

But then again, maybe not.  It was later pointed out that Microsoft had always limited password to 16 characters.  A further update by Microsoft noted that:

Please note our research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways; however, while we agree that in general longer is better, we’ve found the vast majority of attacks are through phishing, malware infected machines and the reuse of passwords on third-party sites – none of which are helped by very long passwords. Sixteen characters has been the limit for years now. []

The Problem in My View

Microsoft is correct in pointing out that password uniqueness is more important than length.  However, they’re wrong in limiting passwords to 16 characters because they’re curbing uniqueness (the same thing they’re recommending) and affecting usability/memorization.

Whaaaa? you may ask.  How is a longer, more complex password more usable?  The answer lies in how you decide to structure your password.

For example, let’s say I have a Hotmail email account.  Perhaps my password will take this form, since it’s for Hotmail:  caliente1234arara$36c2736.  That’s 25 characters.  Broken down:

  • “Caliente” is Spanish for “hot”

  • 1234 because numbers are necessary

  • “Arara” is a macaw in Portuguese

  • $ to fulfill any special character needs

  • 36c-27-36 is supposedly Angelina Jolie’s measurements (I caught The Tourist on TV the other day)

All I have to do to recall my password is to imagine Angelina Jolie feeding a dollar sign to four Brazilian macaws on a hot Spanish day.  (I can’t “unsee” this image now.  Can you?)

Weird mental imagery makes things easier to remember.  The more unique (or weird) it is, the easier to remember it is.  In my experience, in order to make it more unique, you need at least four elements.  String them together and there’s your password.  The online comic xkcd pointed this out as well.  A 16 character limit means I’ve got to be careful on what elements I bring into play: namely, short-named ones.  I guess I could go around trying to memorize something like @#WFe9wj#29w!!@!.  That’s 16 characters.

But I can assure you it’s pretty @#WFe9wj#29w!!@! unlikely that I will.  If anything, I’ll memorize it and forget it. 

Related Articles and Sites:

Comments (0)

Let us know what you think