For a long time, Microsoft engineers have calmly limited Hotmail passwords to 16 characters, a great time-saver that has surprised and conc...
For a long time, Microsoft engineers have calmly limited Hotmail passwords to 16 characters, a great time-saver that has surprised and concerned some users who have long entered passcodes twice that long to reach accounts.
One such customer is Costin Raiu, the director of the global research and analysis team at antivirus provider Kaspersky Lab. On Friday this individual reported obtaining a new error message if this individual entered the same 30-character passcode he long utilized on the Microsoft site. In the event that he typed in the first 16 characters, as the error message taken him to do, this individual was able to gain access to his account just fine. The change concerned Raiu, as it meant that for years his Hotmail bank account hadn't been as secure as he was generated believe.
"To pull off this trick with more mature passwords, Microsoft has two choices, " he had written. Choice one: "Store full plaintext passwords in their [database]; compare the first 16 [characters] only. " Decision two: "Calculate the hash only on the first 16; ignore the snooze. "
Storing millions of passwords as plaintext is among the biggest sins website administrators can devote. But Raiu wasn't delighted with the competing probability, that "since its invention, Hotmail was silently using only the first 18 chars of the username and password. " That would indicate his passcode wasn't practically as resistant to brute-force attacks as he acquired thought. "To be genuine, I'm not sure what type is worse, " he had written.
The limitation is within bare contrast to those available on services such as Gmail, which reportedly enables passwords given that 200 character types or even Yahoo Mailbox, which allows 32-character accounts.
Longer is better, but uniqueness is best
A Microsoft representative told Ars that "Sixteen characters has been the limit for years now" and downplayed concerns that the plan unnecessarily opens users to account breaches.
"Please notice our research has shown uniqueness is more important than length and (such all major account systems) we see criminals make an attempt to victimize our customers in several ways, " she composed in an e-mail. "However, while we agree that generally speaking longer is better, we've found the great majority of attacks are through phishing, malware contaminated machines, and the recycle of passwords on thirdparty sites--none of which are helped by very long passwords. "
The spokeswomen declined to say why Microsoft passwords are required to be so much shorter than passphrases allowed by competing services. In a blog post from July, however, Eric Doerr, a Microsoft Group program manager for Microsoft medical data, suggested the limitation is the effect of engineering decisions designed to make passwords appropriate across multiple product lines.
"Password length--we will work on increasing this, " this individual wrote in a brief review accompanying the blog post. "Unfortunately, for historical reasons, the password validation common sense is decentralized across different products, so it's a bigger change than it should be and will take longer to get to market. inch
The spokeswoman's response seems to show Microsoft engineers don't store passwords in plaintext, although the spokeswoman didn't address that issue despite Ars specifically asking about it. Assuming the passcodes are stored as one-way cryptographic hashes that are made using the PBKDF2 key derivation function, the SHA512crypt, or another algorithm built to securely hash passwords, Microsoft company is mostly right in downplaying the consequences of the 16-character limitation. Gowns because in spite of the growing elegance of password cracking, brute-force attackers hit an "exponential wall, " when striving to cycle through every possible password greater than about eight characters.
Even when attackers use super-charged computing resources from Amazon's cloud-based services, an unique, randomly made password of more than eight heroes assumes on average more than week to guess. Every single additional character that can be used adds an order of magnitude more time to the process.
False sense of security
The most important problem with the limitation is the fact Microsoft has silently enforced the coverage. That means users like Raiu believed as many as 30 characters were required to access an account when in simple fact significantly fewer were needed. Depending on the security password, this secret policy may have made accounts less secure than calculated. Imagine, for instance, if an customer picked "secretpasswordtomaleedisonomega" as the passcode to login to Hotmail. The chances of it falling prey to a cracking attack are significantly more remote than "secretpasswordto, " the textual content string that contains the first 16 characters of the intended password. By simply concealing the 16-character maximum for all these years, Microsoft may have given users a false sense of security.
In his July post, Microsoft's Doerr said the company is in the process of moving beyond the use of mere passwords to grant users entry to their sensitive account data. Both the Xbox. contendo domain and its SkyDrive file hosting service, for example, require two-factor authentication to carry out many activities.
"We are learning a lot from this and possess more in the works, " he composed. "We see two-factor auth to be an more and more important piece of our protection suite. "
One such customer is Costin Raiu, the director of the global research and analysis team at antivirus provider Kaspersky Lab. On Friday this individual reported obtaining a new error message if this individual entered the same 30-character passcode he long utilized on the Microsoft site. In the event that he typed in the first 16 characters, as the error message taken him to do, this individual was able to gain access to his account just fine. The change concerned Raiu, as it meant that for years his Hotmail bank account hadn't been as secure as he was generated believe.
"To pull off this trick with more mature passwords, Microsoft has two choices, " he had written. Choice one: "Store full plaintext passwords in their [database]; compare the first 16 [characters] only. " Decision two: "Calculate the hash only on the first 16; ignore the snooze. "
Storing millions of passwords as plaintext is among the biggest sins website administrators can devote. But Raiu wasn't delighted with the competing probability, that "since its invention, Hotmail was silently using only the first 18 chars of the username and password. " That would indicate his passcode wasn't practically as resistant to brute-force attacks as he acquired thought. "To be genuine, I'm not sure what type is worse, " he had written.
The limitation is within bare contrast to those available on services such as Gmail, which reportedly enables passwords given that 200 character types or even Yahoo Mailbox, which allows 32-character accounts.
Longer is better, but uniqueness is best
A Microsoft representative told Ars that "Sixteen characters has been the limit for years now" and downplayed concerns that the plan unnecessarily opens users to account breaches.
"Please notice our research has shown uniqueness is more important than length and (such all major account systems) we see criminals make an attempt to victimize our customers in several ways, " she composed in an e-mail. "However, while we agree that generally speaking longer is better, we've found the great majority of attacks are through phishing, malware contaminated machines, and the recycle of passwords on thirdparty sites--none of which are helped by very long passwords. "
The spokeswomen declined to say why Microsoft passwords are required to be so much shorter than passphrases allowed by competing services. In a blog post from July, however, Eric Doerr, a Microsoft Group program manager for Microsoft medical data, suggested the limitation is the effect of engineering decisions designed to make passwords appropriate across multiple product lines.
"Password length--we will work on increasing this, " this individual wrote in a brief review accompanying the blog post. "Unfortunately, for historical reasons, the password validation common sense is decentralized across different products, so it's a bigger change than it should be and will take longer to get to market. inch
The spokeswoman's response seems to show Microsoft engineers don't store passwords in plaintext, although the spokeswoman didn't address that issue despite Ars specifically asking about it. Assuming the passcodes are stored as one-way cryptographic hashes that are made using the PBKDF2 key derivation function, the SHA512crypt, or another algorithm built to securely hash passwords, Microsoft company is mostly right in downplaying the consequences of the 16-character limitation. Gowns because in spite of the growing elegance of password cracking, brute-force attackers hit an "exponential wall, " when striving to cycle through every possible password greater than about eight characters.
Even when attackers use super-charged computing resources from Amazon's cloud-based services, an unique, randomly made password of more than eight heroes assumes on average more than week to guess. Every single additional character that can be used adds an order of magnitude more time to the process.
False sense of security
The most important problem with the limitation is the fact Microsoft has silently enforced the coverage. That means users like Raiu believed as many as 30 characters were required to access an account when in simple fact significantly fewer were needed. Depending on the security password, this secret policy may have made accounts less secure than calculated. Imagine, for instance, if an customer picked "secretpasswordtomaleedisonomega" as the passcode to login to Hotmail. The chances of it falling prey to a cracking attack are significantly more remote than "secretpasswordto, " the textual content string that contains the first 16 characters of the intended password. By simply concealing the 16-character maximum for all these years, Microsoft may have given users a false sense of security.
In his July post, Microsoft's Doerr said the company is in the process of moving beyond the use of mere passwords to grant users entry to their sensitive account data. Both the Xbox. contendo domain and its SkyDrive file hosting service, for example, require two-factor authentication to carry out many activities.
"We are learning a lot from this and possess more in the works, " he composed. "We see two-factor auth to be an more and more important piece of our protection suite. "
