Microsoft Wants More than 16 Characters in Your Password

Source: hxxp://news.softpedia.com/news/Microsoft-Wants-More-than-16-Characters-in-Your-Password-383026.shtml

----------------------------------------------------

A valid reason for them about the 16 characters limit, but I still don't see any harm in having a longer limit for those who want to use longer passwords. If they allowed 30 characters passwords then I probably will be back to use Outlook.com again along with GMail.

 

If you have a smartphone, rather than waiting for longer passwords you can go for two-factors authentication.
And don't think its easy to crack a 16 character password since after a number of wrong attempts the server will lock you out.
So, it will take a looooooong time to guess your 16 character passwords.

 

I'm probably wrong but, we still can do that just with a featured phone, right?

Yep, not easy at all. But 30 characters passwords with uppercases, lowecases, numbers, and punctuation marks arranged in a random order is still harder to crack. I'm worried more about the service providers themselves, though.

 

Sure... by sms with standard mobile phone and with a software-token if you have a smartphone.

Ah, ok, I understand.

 

Do the bad guys still try to crack passwords? What if they were able to hack into the cloud servers where a backup of someones mobile device is kept? The backup stores the data and the WiFi password. Somehow the length of the pswd becomes mute if this were the case. Just asking.

 

With "if" scenario you can imaging whatever. In case of more realistic scenario all boils down to social engineering. Trick the user to install malware (PC/Mobile), trick the user to type credentials (bank/token)... etc.

 

Googe Gmail has 56 character password, with uppercases, lowecases, numbers, and punctuation marks arranged in a random order. Why doesn't Microsoft does the same and does it soon.

Best regards,

 

Why would they do it if it does not improve the security of the account? Security wise it is much better a two-factors authentication than a long password. You can by a mobile phone for 10$ out there if you have not one

 

Yes though, but at least make the limit to be longer. Now waiting for fingerprint recognition and retina scan to be included.

 

Why they would need to do so? The length of the password will not improve your security.

I think users tends to forget that its not like a spy movie where you see the magic software running on hundreds of stellar servers trying billions of combination in a nanosecond.... you can't do that. The system will simply refuse the request after just few tries and the account locked.

So, a 56 character password for this specific case (gmail, hotmail, etc) is simply not fitting the purpose, hacking of e-mail accounts happens with malware stealing the credentials (even if with 56 characters) and social engineering with the user or the provider

 

Hey, we can have overkill security setups, why couldn't we have overkill passwords?

Unless it takes lots of money, I don't really see the need of limiting it to only 16 at max. Well, Mr. Johnson can use 16 characters PW because he thinks it's enough, Mr. Smith can use only 8 characters because he doesn't want to be bothered with PW managers and prefer to keep it in his head only, Mr. Bow is kind of paranoid, so he uses 47 characters PW and doesn't store it anywhere else. Then everyone's happy with whatever the length of the characters preferred by certain individuals.

 

Because it does not improve your security and therefore is not given as an option. So you can't... rightly so.
Luckily they offer you better methods to secure your account. Up to you to choose.

 

Certain hashing algorithms like bcrypt have a limit on the password length. Passwords are sometimes restricted for that reason.

 

Constructing a password with more entropy is more desirable then length.