(I know this is old news, but it only just came to my attention a few days ago, so I figured I’d post about it anyway.)
I like strong passwords. No, I like strong pass phrases. It’s brutal to remember CX}bk<b_-K97 which is only a 12 character 96-bit password. However, it’s easier to remember doubledoubletoilandtrouble because it’s real words, and a literary reference on top of it (MacBeth, for those interested). It’s a 208 bit password with 26 characters. If you have password complexity requirements we could use Doubledoubletoilandtrouble1 to include an upper-case letter and a number (which brings it up to 216 bits) or if we also need a special character we can tack on an exclamation point to bring us up to 224 bits.
I typically use pass phrases for myself and clients. It’s gotten me into a bit of trouble in the past. In short, I changed the password on a public facing phone system interface to one that was longer than the system could handle. However, I didn’t know that and the system didn’t validate the input so I ultimately ended up locking everyone out of the system and a full factory reset was required.
I’ve got numerous other anecdotes concerning long passwords either breaking something or simply not being accepted. (I’m looking at you Chase Manhattan! Actually, let me re-scope that. I’m looking at you banking and financial sector!)
This story begins with a fresh installation of Windows 7 and some activation warnings. A client of mine had a Windows 7 desktop that was installed weeks earlier, but not activated. There is no KMS system in the building so MAK keys are used for this small deployment. I had to log into the Microsoft Volume Licensing Service Center to retrieve the client’s MAK key for Windows 7. For those not in the know, logging into any Microsoft online system requires a Microsoft Account (Formerly Windows Live ID, formerly Microsoft Passport). So I went to log in. With the 29 character password that I chose for that client’s ID.
Microsoft account passwords can contain up to 16 characters. If you’ve been using a password that has more than 16 characters, enter the first 16.
I was flabbergasted. I counted out the first 16 characters of the 29 character password and pasted them into the password dialog. I was able to log in. I searched online for more information and came back with this FAQ: Why can’t my Microsoft account password have more than 16 characters?
So I am assuming that all along, for the nearly ten years I’ve been using Microsoft’s Passport / Live ID / Microsoft Account sign-in service, only 16 characters have ever been accepted while the remaining characters were discarded. I cannot say that this wasn’t disclosed because it never occurred to me to verify that my 16+ character passwords, which were accepted without hesitation, were actually being honored to the last character.
Now I’m wondering what other accounts might be doing the same thing; accepting long passwords but silently dropping characters past a certain point. Is it so hard to calculate and store hashes from long passwords? Password policies seem to be encouraging complexity, not strength. Complexity that encourages post it notes to be placed under someone’s keyboard. Or a sheet full of administrator accounts and passwords kept on top of a filing cabinet… but I’m trying to forget that ever happened.
What do you think about all of this? Did Microsoft disclose the discarding of characters and most of us missed it? Should they have made a hard warning that required less than 17 characters?