Sophos Cloud Optix
Outlook.com, Microsoft’s relaunch for Hotmail, has already had over one million new sign-ups from users keen to try it out.
Jokers were also quick to grab available email addresses, beating Microsoft’s CEO to the punch by grabbing steveballmer@outlook.com and donotreply@outlook.com, for instance.
Although these addresses were no doubt acquired for fun, there can be little doubt that phishers and spammers also raced to acquire email addresses that they might try to deploy in attacks and scams in the future.
But what caught my eye when reading Twitter today, was discussion about something else related to Outlook.com – the maximum password length it imposes.
It seems that Outlook.com won’t let you have a password of longer than 16 characters. (The same was true of Hotmail).
So, how does this compare to its rivals in the webmail market?
Yahoo fairs somewhat better – allowing you to have up to 32 characters (although I think a minimum of six characters is too short).
And when registering an account with Gmail, I was unable to hit a limit on password length. However, as I tried to log into an account I had created with a ridiculously long password I was told I could only enter 200 characters.
Shouldn’t Outlook.com be giving users the option of having longer passwords like Yahoo and Gmail do?
It’s not as though Microsoft has to store the passwords – I’m hoping (boy.. I’m so hoping..) that they don’t store your password at all, but instead generate a salted hash or checksum based upon your password.
Then, whenever you log in, they can compare the salted hash of the password that is entered to the salted hash that they store in their database. If they match, the password has been entered correctly.
Longer passwords aren’t necessarily better just because they’re longer, of course. A password such as “12345678901234567890” is probably not going to be as hard to crack as “v4L61^3Fes@zEkiR” even though it’s longer.
But generally, if you don’t choose a password that’s easy to guess or crack, longer is better.
So it’s a shame to see the new Outlook.com miss an opportunity to encourage the use of longer passwords. Anything which encourages users to choose hard-to-crack, hard-to-guess, unique passwords is good in my book.
If you want to learn more about password security make sure to listen to our podcast which busts password myths; and watch our video where we explain how to create a password that’s hard to crack but easy to remember, and the importance of not using the same password on multiple websites.
Google also allows two factor or what they call two-step verification using an OTP.
Also, the lesson from LinkedIn is that storage using salted hashes is useless if there is no key stretching.
Thank you kindly for writing this article.
I for one will be providing feedback to Microsoft on this since having always used long passwords it is a shame that only 16 characters are allowed. Microsoft offer you the chance to provide feedback on Outlook.com in general and this is exactly what I going to do and use the links that you provided on this blog post as evidence to support my point.
This is 2012; we should not be limited by password lengths this short. RAM is cheap and programming in 2012 should at least make better use of it for security reasons.
My previous Hotmail password had 18 characters but about 2 weeks ago I couldn’t sign with it. A message appeared at sign in to tell me to simply type the first 16 characters and ignore the remaining 2 characters, which then worked. I simply thought this was strange at the time. I suspect that all along the remaining 2 characters were ignored even when I did type them.
Now we have Outlook.com with the same limit so I will be voicing a strong case to increase the limit for those that want longer passwords. My other passwords are already strong as I follow your advice on this blog for creating them and I should be allowed to have any reasonable length password.
I am sure there will be those who will brand me as paranoid, OCD or tell me to wear a aluminium foil hat but with hackers accessing services like Dropbox, Nvidia forums, Yahoo, LinkedIn and Last.FM to name but a few we should be using the strongest passwords we can. That way if the service is compromised your password will put at the bottom of the pile for cracking since it will simply take too long to do so. Some of my passwords take about 700 centuries with an $180,000 password attacker when analysed by the Password Strength Analyzer at:
https://passfault.appspot.com/password_strength.h…
I really don’t think a hacker will bother with my passwords of this strength.
By the way, I really like the new Outlook.com service. It’s well designed and is efficient to use. I just hope that this small password issue can be resolved.
Thanks again for highlighting this issue to a wider audience.
Correcting typos from above post:
——————————————————–
Microsoft offer you the chance to provide feedback on Outlook.com in general and this is exactly what I am going to do and use the links that you provided on this blog post as evidence to support my point.
——————————————————–
I am sure there will be those who will brand me as paranoid, OCD or tell me to wear an aluminium foil hat but with hackers accessing services like Dropbox, Nvidia forums, Yahoo, LinkedIn and Last.FM to name but a few we should be using the strongest passwords we can.
——————————————————–
Long passwords are nice, but what about a maximum number of attempts, in order to prevent brute force attacks ? And is some kind of multi-factor authentication with a softtoken not possible, in order to defeat keyloggers which steal credentials ?
After all, strong passwords are ineffective against many kinds of attacks, due to which it is just a part of the solution. Users can't introduce softtokens or maximum number of logon attempts, but Microsoft, Google and others can.
Excellent points. Limiting the max number of attempts, together with even a measly 16-character password, would defeat most attempts at breach, I think.
For me, soft token authentication is a nuisance for routine access; I prefer an initial log-on page followed by another that requires another pass-phrase.
Hi N. Groeneveld,
I totally agree. I will also submit feedback to Outlook.com about introducing 2 factor authentication and maximum login attempts. Perhaps you could also submit such feedback?
Thanks.
It’s even worse than that. For as long as I can remember I have had a 32-character password for Microsoft Id / Windows Live, but in order to sign in to my account (now called Microsoft Account) yesterday I had to truncate it to 16 chars. Was the system previously truncating the password without mentioning it, or has the max. length been changed?
Hi John,
From what I can tell, it was always truncating it. When you were entering your 32 character password (that’s a great length to choose by the way) the system would simply ignore the remaining 16 characters.
I found this with my 18 character password, until about 2 weeks it was accepted no problem. Then I was asked to enter only the first 16 characters. Since there was no error until then, the system must have ignored (truncated) the extra 2 characters.
I think we all need to ask for a longer length of password from Outlook.com. Would you agree?
Thanks.
Rated: PG-17
None but the woefully, er… under-gifted would argue that size does not matter but I think 16 characters is sufficient. If that 16-character field is actually USED as security pros recommend —upper/lower case, symbols, numbers– then users would be pretty secure, I think. Of course, if one is the specific target of some highly funded, highly skilled malcreant, then perhaps 16 isn't enough.
"Sixteen isn't enough"? Sheesh! Some people just can't be satisfied.
Actually, the real beef is that a 16 character limit prevents a user from choosing a long but simple to remember passphrase. The security advice regarding passwords and passphrases are quite distinct.
Punctuation and symbols are largely irrelevant when your passphrase is composed of 6 random words.
Sixteen characters is more than enough if the password is created properly. A random 16 character password using the available keyspace has about 105 bits of entropy or roughly 4 x 10^31 possible combinations. Do the math. Even with massive computing power that can run trillions of combinations a second, it takes a huge amount of time to brute force.
Hi Alan,
While I agree with you that the maths don’t lie, I will still try to have the password length increased. I am not the only one who would like the option of having this. Fellow commenter , John Landais has much longer passwords and LRD would like this option too.
Using a Password Analyzer: https://passfault.appspot.com/password_strength.h…
verifies your calculations of a 16 character random password being sufficient i.e. one of my passwords of that length would take 300 years to crack.
Thanks for your contribution.
yes if you password is randomly generated 16 chars is enough. However if your password is something that you can actually remember and still secure it needs to be longer. pass phrases can end up being pretty long, still secure but you need that length to keep them that way.
Here's one that very well may be worse… I recently discovered that the website for an in-store credit card recently changed their password policies; for the worse. As of about a month ago, you are no longer able to use special characters in your password.
CorrectHorseBatteryStaple won't even fit! Whatever shall we do?
This isn't just Outlook, it is Microsoft Store on Windows 8, I spend ages wondering why i couldn't login then last week while logging into msn it told me I was using over 16 chars in my password and please type in the first 16 chars._So I changed my password to 16 chars and there I could log into the MS store..__This is dam annoying as I want to choose the length of my pasword especially when I may have important files in my skydrive. I don't but still that's not the point!__You said it was the same on MSN but I never got warned about using long passwords then, so are you sure?__"So it's a shame to see the new Outlook.com miss an opportunity to encourage the use of longer passwords. Anything which encourages users to choose hard-to-crack, hard-to-guess, unique passwords is good in my book."__Totally agree!
The Canadian Imperial Bank of Commerce, one of Canada's leading banks, online banking requires the user to select a password of 8 characters – one must be a upper case, and one must be a number – more than 8, no other characters – alphanumeric only.
But, they do guarantee their security.
I
A bank should only allow about three incorrect attempts before locking you out.
If your bank doesn't do this – change banks!
16 characters is more than enough for good security. I have an 11 digit PW that the Password security calculator estimated would take 43 centuries to crack with a supercomputer.
For an online attack presumably?
I have used Ophcrack to audit XP and AD passwords with the XP Special Characters rainbow tables and with them on a bootable USB flash drive, 14 character passwords consisting of random uppercase, lowercase, numeric and special characters takes literally a few minutes.
Seriously, this pseudo-random non-dictionary 14-character password takes just minutes to crack…
Y0t9r^LGJM=0xW
1) The above links to a password analyser are (fortunately) broken.
2) Nevertheless, directing readers of this article to any website which encourages people to submit passwords online so as to “test their strength” seems a surefire way of ensuring that the strong password you have submitted is known out there!
Is Sophos serious or stupid?
As long as you're only supplying a password or passphrase to test, but not the associated login, it should be pretty safe.
Putting such a small limit on their passwords suggests to me that they are not hashing at all, since hashes take input of arbitrary length and provide output of a fixed length hash. Cryptographically secure one-way hashes of course making reversal from hash to original or equivalent collision password infeasible.
The only reason I would see for enforcing a limit would be in both their internal algorithms and input validated fields, to prevent abuses such as attempted buffer overflow exploitation.
In a case like that I might enforce something like a 256 character limit which should provide a reasonable limit even for people who use lengthy passphrases and not bother advertising the limit unless someone actually tried to use a password longer than that.
I tried the "Preview" of the Outlook.com email system, and it really stinks!
There are virtually no email server features we are used to compared to the usual
MSN, Live and Hotmail email client or direct login screens.
Outlook.com is so oversimplified I can't see using it for any reason, even to change
my email address and give up the ones I have now. It's not even worth bothering to
create a new account with, that's how featureless the Outlook.com email system is.
Password strength is largely irrelevant for online security.
The main authentication risks these days are password re-use, password database disclosures and key-loggers. Password strength is of no help for any of these risks.
Any system which does not control the rate of authentication attempts is vulnerable, regardless of what password policy is in place.
You forgot security questions. A lot of famous people's accounts have been 'hacked' in the last few years simply by calling up armed with some public facts about the person… My password is largely irrelevant if someone can just lookup info about me call up and bypass it :/
I try to control my own password re-use by using a password manager for sites I rarely visit and don't really need to keep memorized and systematically altering my passwords for each site. I'm not sure how much the systematic altering of the passwords helps, as there are programs out there probably sophisticated enough to figure out the system- but it does mean they can't straight up re-used the same password. I've been thinking to moving everything to the password manager… but they need to get a bit more convenient on things like phones and cross operating systems to make it worth it.
I have never given much thought to this because most of the places that want a password don't know who I am and I don't think hackers are at all interested in me. But I did run my 13 digit password that I do use and this is what https://passfault.appspot.com/password_strength.h… said about it: Time To Crack: 2753 centuriesTotal Passwords in Pattern: 8 Quintillion
Outlook
They have since increased the length, but there is now a warning on the password setting page. The warning says: “Warning: Passwords longer than 16 characters cannot be used with the Xbox 360”