[ISN] Secret Microsoft policy limited Hotmail passwords to 16 characters

From: InfoSec News <alerts_at_private>
Date: Tue, 25 Sep 2012 04:19:27 -0500 (CDT)
http://arstechnica.com/security/2012/09/secret-microsoft-policy-limited-hotmail-passwords-to-16-characters/

By Dan Goodin
Ars Technica
Sept 24 2012

For years, Microsoft engineers have quietly limited Hotmail passwords to 
16 characters, a revelation that has surprised and concerned some users 
who have long entered passcodes twice that long to access accounts.

One such user is Costin Raiu, the director of the global research and 
analysis team at antivirus provider Kaspersky Lab. On Friday he reported 
receiving a new error message when he entered the same 30-character 
passcode he long used on the Microsoft site. When he typed in the first 
16 characters, as the error message directed him to do, he was able to 
access his account just fine. The change concerned Raiu, because it 
meant that for years his Hotmail account hadn't been as secure as he was 
led to believe.

"To pull off this trick with older passwords, Microsoft has two 
choices," he wrote. Choice one: "Store full plaintext passwords in their 
[database]; compare the first 16 [characters] only." Choice two: 
"Calculate the hash only on the first 16; ignore the rest."

Storing millions of passwords as plaintext is among the biggest sins 
website administrators can commit. But Raiu wasn't pleased with the 
competing possibility, that "since its inception, Hotmail was silently 
using only the first 16 chars of the password." That would mean his 
passcode wasn't nearly as resistant to brute-force attacks as he had 
thought. "To be honest, I'm not sure which one is worse," he wrote.

[...]


--
ExpandingSecurity.com Live OnLine classes won&#8217;t wreck your schedule.
Get that cert and be done before 2012 ends. Last ISSAP 2012 class starts
Sept. 25th. Last 2012 CISSP and CEH starts Oct. 1:
CEH info signup: http://www.expandingsecurity.com/product/ceh-certified-ethical-hacker-online/
CISSP info signup: http://www.expandingsecurity.com/product/cissp-live-online-10-week-course/
ISSAP info signup: http://www.expandingsecurity.com/product/issap-information-systems-security-architecture-professional/ 
Received on Tue Sep 25 2012 - 02:19:27 PDT

This archive was generated by hypermail 2.2.0 : Tue Sep 25 2012 - 02:15:03 PDT