Not More Than 16 Characters?!?

Microsoft, you’re killing me. This is the warning I received when typing in a password for Office 365:

More More Than 16 Characters

I blinked when I saw the warning, “Your password can’t be longer than 16 characters.” I couldn’t believe that I had gotten that warning, so I erased what I had typed for a password and started typing 1, 2, 3, etc., to see if this warning did trip at 17 characters. It did. Why in the world is there a limitation on password length if you’re going to do a hash my password? And if you had to pick a limit, why 16 characters? Why not 50 or 100 or 255?

I’ll give Microsoft credit for password complexity requirements:

  • Require uppercase
  • Require lowercase
  • Require number
  • Require a special character from a select list

However, we know that password length tends to be more important as long as you stay away from dictionary words. Therefore, if you’re building a system that takes passwords, don’t limit password length and use secure hashing algorithms and store the hash.

Advertisements

7 Comments (+add yours?)

  1. Trackback: Password-Limiting Moves – Curated SQL
  2. Thomas Franz
    Jun 16, 2016 @ 10:45:40

    The same is sadly true for many (big) companies (which are claiming that it is for technical reasons and could not be changed)…

    But worser is a minmal lenght for the security answer to questions as “What was the name of your first pet?”. Its riddiculous when your fish was named Bob but you have to fill up it to 6 or 8 characters …

    Reply

  3. John
    Jun 16, 2016 @ 11:09:28

    Maybe that’s all that the DOJ can decrypt?

    Reply

  4. Danimal
    Jun 16, 2016 @ 11:58:31

    I saw this too, about a year ago, for MicrosoftIDs. Ridiculous.

    Reply

  5. Michael Powell
    Jun 16, 2016 @ 12:06:52

    Because a secure password scheme does not store your password itself, but rather a secured hash, which is far longer than 16 characters.

    Reply

  6. Tom Thomson
    Jun 16, 2016 @ 13:36:28

    This sort of restriction drives me crazy. By default, I go for 20 characters (and autogenerate passwords according to a policy defined in my password safe), and I get irritated when I have to define extra password policies (whether to use a shorter length, or to exclude some characters and define a longer length to compensate, or – worst of all – to use a shorter length and exclude some characters). I though Microsoft would have more sense but …

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: