Old News: Microsoft Account Passwords Always Discarded Characters Past 16th Place, You Just Didn’t Know It

(I know this is old news, but it only just came to my attention a few days ago, so I figured I’d post about it anyway.)

I like strong passwords. No, I like strong pass phrases. It’s brutal to remember CX}bk<b_-K97 which is only a 12 character 96-bit password. However, it’s easier to remember doubledoubletoilandtrouble because it’s real words, and a literary reference on top of it (MacBeth, for those interested). It’s a 208 bit password with 26 characters. If you have password complexity requirements we could use Doubledoubletoilandtrouble1 to include an upper-case letter and a number (which brings it up to 216 bits) or if we also need a special character we can tack on an exclamation point to bring us up to 224 bits.

I typically use pass phrases for myself and clients. It’s gotten me into a bit of trouble in the past. In short, I changed the password on a public facing phone system interface to one that was longer than the system could handle. However, I didn’t know that and the system didn’t validate the input so I ultimately ended up locking everyone out of the system and a full factory reset was required.

I’ve got numerous other anecdotes concerning long passwords either breaking something or simply not being accepted. (I’m looking at you Chase Manhattan! Actually, let me re-scope that. I’m looking at you banking and financial sector!)

This story begins with a fresh installation of Windows 7 and some activation warnings. A client of mine had a Windows 7 desktop that was installed weeks earlier, but not activated. There is no KMS system in the building so MAK keys are used for this small deployment. I had to log into the Microsoft Volume Licensing Service Center to retrieve the client’s MAK key for Windows 7. For those not in the know, logging into any Microsoft online system requires a Microsoft Account (Formerly Windows Live ID, formerly Microsoft Passport). So I went to log in. With the 29 character password that I chose for that client’s ID.

Microsoft account passwords can contain up to 16 characters. If you’ve been using a password that has more than 16 characters, enter the first 16.

I was flabbergasted. I counted out the first 16 characters of the 29 character password and pasted them into the password dialog. I was able to log in. I searched online for more information and came back with this FAQ: Why can’t my Microsoft account password have more than 16 characters?

So I am assuming that all along, for the nearly ten years I’ve been using Microsoft’s Passport / Live ID / Microsoft Account sign-in service, only 16 characters have ever been accepted while the remaining characters were discarded. I cannot say that this wasn’t disclosed because it never occurred to me to verify that my 16+ character passwords, which were accepted without hesitation, were actually being honored to the last character.

Now I’m wondering what other accounts might be doing the same thing; accepting long passwords but silently dropping characters past a certain point. Is it so hard to calculate and store hashes from long passwords? Password policies seem to be encouraging complexity, not strength. Complexity that encourages post it notes to be placed under someone’s keyboard. Or a sheet full of administrator accounts and passwords kept on top of a filing cabinet… but I’m trying to forget that ever happened.

What do you think about all of this? Did Microsoft disclose the discarding of characters and most of us missed it? Should they have made a hard warning that required less than 17 characters?


  1. James Pritchard

    April 22, 2013 at 8:14 am

    As a developer I’ve found this behavior in code I’ve inherited, it’s usually when the system has been designed to store the plain text password!! There really isn’t any excuse not to salt and hash passwords before being stored.


  2. Jonathan Angliss

    April 22, 2013 at 4:49 pm

    I noticed this a while back. I use KeePass for a lot of my passwords on sites where I want to keep secure. And my KeePass password is a long phrase (9 words).

    The thing that makes me cringe on this is the sudden enforcing of the 16 character limit. 1 of 3 things has happened. 1) They’ve decided that they are tired using code to shorten your password, encrypt it, then compare it to the database value. 2) They’ve decided they want to just force everybody’s password to 16 characters, and as such they’ve re-encrypted the password. 3) Somebody did an audit, realized it only accepted the first 16 characters, and reported it as an issue as people were thinking their Über passwords were super secure, when they weren’t as secure as they thought.

    The first is a little silly, it’s not hard to do a string.substring(0,16). or whatever you use in your equivalent language. But, they might have started to look at ways of trimming down login times, and substrings and such may be impacting the performance. If that’s the case, I’d be worried about the infrastructure. Linux/Unix used to be truncated at 8 characters didn’t it?

    The second scares me, because it means they’re potentially using a reversible encryption, which has to have the keys somewhere. Or worse, plain text passwords! Reversible encryption, and keys, mean the potential for a compromise of accounts. One way hashes are generally considered better, though we know how that goes when rainbow tables come about.

    The third one shouldn’t be too bad, but there is probably a bunch of people that are bothered by their suddenly shortened password.


Leave a Reply

Follow TheNubbyAdmin!

follow us in feedly

Raw RSS Feed:

Contact Me!

Want to hire me as a consultant? Have a job you think I might be interested in? Drop me a line:

Contact Me!

Subscribe via Email

Your email address is handled by Google FeedBurner and never spammed!

The Nubby Archives

Circle Me on Google+!

Photos from Flickr

Me on StackExchange

The IT Crowd Strava Group

%d bloggers like this: