Thursday, September 27, 2012

Microsoft prohibits long passwords on online services

Microsoft has decided that you can no longer use long passwords on online services. If you're paranoid and security by way your password butting heads on the keyboard dozens of times, the next time you try to enter your Microsoft account will receive a message saying to enter only the first 16 characters.


The limitation of 16 characters began when Microsoft released Outlook.com in late July. But older users could use more passwords. Who has the account competing services can also form combinations Longer: Up to 32 characters are on Yahoo and Gmail to 200 characters, according to Sophos.

"Okay, what's wrong?", You may be wondering. After all, a 16-character password, if well-formed, is secure enough not to be discovered after years of brute force. But the hole is lower. The error message states clearly: "If you use a password longer than 16 characters, enter the first 16 characters."

This can mean two things, according to Kaspersky. The first is that Microsoft stores user passwords in cleartext, which can cause a huge damage if someone gets access to company servers, affecting more than 360 million accounts. The second is that the login system from Microsoft only calculates the hash of the first 16 characters.

The two cases are severe. Storing passwords in plain text is a primary error, the more accurate would save the password hash, making recovery impossible if the combination is not in a dictionary of hashes. The second option is also bad: if the system only calculates the hash of the first 16 characters, this means that all users who used longer passwords, thinking they are safer, they were not.

Microsoft has not commented officially on the matter. The Web The Next believes the problem may not be so serious: during all this time, Microsoft is storing your password in at least two formats (walking, with 16 characters, and one complete), making possible the implementation of the new login system. So we wait.