Hotmail Limits Passwords to 16 Characters

Passwords, unfortunately, still are the main authentication mechanism on most Web sites, including all of the popular webmail services, such as Hotmail, Gmail and Yahoo Mail. Many sites encourage users to pick complex and long passwords, so it’s surprising to see that Microsoft now has limited Hotmail passwords to no more than 16 characters. Even more surprising, however, is that Hotmail will accept the first 16 characters of an existing, longer password, indicating that the company may have been storing users’ passwords in plaintext.

HotmailPasswords, unfortunately, still are the main authentication mechanism on most Web sites, including all of the popular webmail services, such as Hotmail, Gmail and Yahoo Mail. Many sites encourage users to pick complex and long passwords, so it’s surprising to see that Microsoft now has limited Hotmail passwords to no more than 16 characters. Even more surprising, however, is that Hotmail will accept the first 16 characters of an existing, longer password, indicating that the company may have been storing users’ passwords in plaintext.

Microsoft officials say that there has been a 16-character limit for Hotmail accounts for some time. But security researchers who looked at the requirement found it odd, to say the least. Sixteen characters is a somewhat arbitrary limit, but the more interesting bit is why Microsoft chose to make the change at all.

The real question, however, is what the implications of the change are. As Costin Raiu, head of Kaspersky Lab’s GReAT research team, wrote in an analysis of the issue, one possibility is that Microsoft has been truncating longer passwords to 16 characters all along and then hashing those first 16 characters. The other possibility is somewhat more troubling.

My previous password has been around 30 chars in size and now, it doesn’t work anymore. However, I could login by typing just the first 16 chars,” he wrote.

To pull this trick with older passwords, Microsoft had two choices:

* store full plaintext passwords in their db; compare the first 16 chars only 
* calculate the hash only on the first 16; ignore the rest

Storing plaintext passwords for online services is a definite no-no in security. The other choice could mean that since its inception, Hotmail was silently using only the first 16 chars of the password. To be honest, I’m not sure which one is worse.”

Microsoft officials did not respond to questions on this issue.

In order to keep passwords safe from snooping, many Web sites run users’ plaintext passwords through a hash function, which obscures them. Depending upon which hash function is being used, and what kind of computers is used to do the cracking, the length of time needed to crack a password hash can vary greatly. 

Please note our research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways; however, while we agree that in general longer is better, we’ve found the vast majority of attacks are through phishing, malware infected machines and the reuse of passwords on third-party sites – none of which are helped by very long passwords,” a Microsoft spokesman said. 

“Sixteen characters has been the limit for years now. We will always prioritize the protection needs of users’ accounts and we will continue to monitor the new ways hijackers and spammers attempt to compromise accounts, and we design innovative features based on this. At this time, we encourage customers to frequently reset their Microsoft account passwords and use unique passwords that are different from other services.”

This story was updated on Sept. 24 to add a comment from Microsoft. 

Suggested articles

Discussion

  • Who uses that many? on

    characters for a password??

  • Anonymous on

    People who use pass phrases instead of passwords use that many characters.  Regardless of who uses the capability, it's troubling.

     

  • Anonymous on

    Actually, Hotmail and most other MS online services have always had a documented 16-character max limit, due to having been stood up around 2000.  MD5 password hashes have the same limit, which is why a fair number of Linux distros also have the same 16-character max limit, unless you or the distro took action to upgrade the password hashing method.  MS has almost certainly NOT been storing passwords in plaintext, they've been truncating them.  

    This was a kerfuffle on the Internets a month ago when people realized Windows 8 would have the same limit if you used the OPTIONAL OPTION to use your Hotmail/MS online  password as your Windows user / single signon password.  Which of course probably isn't the choice that security conscious types should make in the first place.

    It sounds sub-optimal, but in reality the 16-character password limit affects VERY few people... Just those people who are security conscious to use a 17+ character password... But not security conscious enough to choose a more secure place to store their email, online backups, etc. than on the Internet cloud in a free Microsoft service.  Which in an ideal world really should be a category containing zero people.  "Cheap, fast and secure, pick two."

  • Anonymous on

    Actually, Hotmail and most other MS online services have always had a documented 16-character max limit, due to having been stood up around 2000.  MD5 password hashes have the same limit, which is why a fair number of Linux distros also have the same 16-character max limit, unless you or the distro took action to upgrade the password hashing method.  MS has almost certainly NOT been storing passwords in plaintext, they've been truncating them.  

    This was a kerfuffle on the Internets a month ago when people realized Windows 8 would have to enforce the same password limit, *if* you used the OPTIONAL OPTION to use your Hotmail/MS online  password as your Windows user / single signon password.  Which of course probably isn't the choice that security conscious types should make in the first place.

    It sounds sub-optimal, but in reality the 16-character password limit affects VERY few people... Just those people who are security conscious to use a 17+ character password... But not security conscious enough to choose a more secure place to store their email, online backups, etc. than on the Internet cloud in a free Microsoft service.  Which in an ideal world really should be a category containing zero people.  "Cheap, fast and secure, pick two."

  • Wayne on

    Microsoft have been using 16 characters for ever. They just ignored the rest. If you google it you will find results talking about it.

  • Jan van Niekerk on

    You do not have to store a password in plain text in order to make random adjustments to the plain text version. If the entire password is sent at login, then such changes can be made at login time.
  • Anonymous on

    Back when I used to use POP3 to access Hotmail, the limit was 14 characters in a POP3 password. It was a hard limit, the logon failed if you used a longer PW. I actually had a longer Hotmail password but when I tried POP3 it took me ages to get it working until I found out about the 14 char limit. BTW POP3 used to get the mail without having to wade through all of the slow sludge of the Hotmail interface. It may be different now but I don't use Hotmail so I don't know.

  • Rahima on

    I WANT YOU

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.