Microsoft, you’re killing me. This is the warning I received when typing in a password for Office 365:
I blinked when I saw the warning, “Your password can’t be longer than 16 characters.” I couldn’t believe that I had gotten that warning, so I erased what I had typed for a password and started typing 1, 2, 3, etc., to see if this warning did trip at 17 characters. It did. Why in the world is there a limitation on password length if you’re going to do a hash my password? And if you had to pick a limit, why 16 characters? Why not 50 or 100 or 255?
I’ll give Microsoft credit for password complexity requirements:
- Require uppercase
- Require lowercase
- Require number
- Require a special character from a select list
However, we know that password length tends to be more important as long as you stay away from dictionary words. Therefore, if you’re building a system that takes passwords, don’t limit password length and use secure hashing algorithms and store the hash.