But it was the second part of the error message that got him thinking. “If you’ve been using a password that has more than 16 characters, enter the first 16.” For Riau, that meant that the last 20 characters of the strong password he used to set up and successfully use the account in the past was no longer, or had never been, used. For the first option, it would mean that Microsoft has been storing the passwords in plaintext. Only then could it discard the latter part and still function with the original first 16. But, “Storing plaintext passwords for online services is a definite no-no in security,” he said.
For the second option, it would mean that Microsoft had always truncated passwords of whatever additional length to the first 16, and had generated and stored a hash of the first 16 characters only. “To be honest,” said Raiu, “I’m not sure which one is worse.” Well, the first the is worse; but the reality that Hotmail uses passwords of a maximum 16 characters surprises and dismays many security experts.
Graham Cluley of Sophos has compared the three primary webmail providers: Microsoft, Yahoo and Google. Hotmail allows 16 characters; Yahoo allows 32 characters; Gmail allows 200 characters. Generally, said Cluley, “longer is better.”
Microsoft has now provided two comments on the issue. The first is online in its ‘Microsoft account Help & How-to’: “Actually, Windows Live ID passwords were always limited to 16 characters—any additional password characters were ignored by the sign-in process. When we changed "Windows Live ID" to "Microsoft account," we also updated the sign-in page to let you know that only the first 16 characters of your password are necessary.”
The second comment was a statement to TheNextWeb. It said that Microsoft “research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways; however, while we agree that in general longer is better, we’ve found the vast majority of attacks are through phishing, malware infected machines and the reuse of passwords on third-party sites – none of which are helped by very long passwords.”
This, however, sounds less an argument for short passwords than an excuse for not having long passwords. The fact remains that if hackers ever got access to the hotmail database, it would be a lot easier to hack Costin Riau’s actual 16 character password than the 36 character password he thought he was using.