Major upgrade to your Microsoft account

Discussion in 'other software & services' started by chachazz, Apr 17, 2013.

Thread Status:
Not open for further replies.
  1. chachazz

    chachazz Updates Team

    Joined:
    Apr 23, 2004
    Posts:
    840
    Microsoft Account Gets More Secure
    The Official Microsoft Blog - 17 Apr 2013 - Posted by Eric Doerr,
    Group Program Manager, Microsoft account

    ...including Optional two-step verification
     
  2. guest

    guest Guest

    Glad to hear that late upgrade. :D

    But when will they allow long passwords? It's also important. :)
     

    Attached Files:

  3. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    Not really, 16 is plenty for just about everything save encrypting a hard drive or extraordinarily sensitive applications (like, national security sensitive). You're not, for example, going to break a password like Ji$!sHUd3$ReT@Lo even with automated GPU cracking yet.
     
  4. guest

    guest Guest

    Today, maybe yes. But what about tomorrow?

    Besides, GMail allows us to set the password as long as we want (or at least more than 16), so I don't get the point of this limitation. Is it a sin to have a long password? o_O
     
  5. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    Of course it isn't a sin. But it's not like you're woefully insecure using a 16 character password either, unless you're using something indescribably stupid like Kittycat12345678. What about tomorrow? For all you know, tomorrow 40 character length passes will be as easy as breaking Kittycat12345678. "Tomorrow" passwords should be relegated to the nostalgia bin of the early Web. "Tomorrow" we may be going full on "Matrix". Or, we could be using passwords still 20 years from now. When 16 character length passwords that are strong are said to no longer be safe, then worry about it. The tech available now just isn't going to break it in any length of time deemed reasonable enough to try.

    P.S, Google serves ads in Gmail by auto-reading your emails, so you have that real strong password so no one can break in, yet it's already compromised technically. There's that to consider.
     
  6. guest

    guest Guest

    That's what I meant tomorrow. ;)

    Well yeah, such simple password would make you suffer. I'm talking about a good quality password, so in theory:

    23 characters good pass > 16 characters good pass

    Dunno if this is relevant, but according to him, the longer the better.

    I've been dealing with people that are far more evil than Google, so I'm not too worried about that. =V
     
  7. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    8,634
    Location:
    NSW, Australia
    GrafZeppelin,

    "Today" it would take an Online Attack Scenario 14.14 million trillion centuries to run through all the combinations of a 16 character password.
     
  8. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    As he said, he's no security guru. That doesn't make him wrong, 16 is much better than 8 characters. But the key is length and randomness. I can still make a "good" 20 character length pass that is far easier to crack than a completely random, special character and numbers included 16 character pass. Length only gets you so far. Plus, there's the issue of how your pass is stored on the other end. No Salt/Hash=goodbye account no matter how good your pass is. Some of this is out of our control.

    So yeah, in theory the longer and more random, the better. In practice there's a lot more to consider.
     
  9. guest

    guest Guest

    I never said that, though I'll admit it's true. :oops:

    Okay, it seems that I'm saying it wrong. o_O If they share the same complexity, then wouldn't 20 is better than 16? Or am I just following the wrong path all this time? :doubt:

    Indeed, but we should try our best, right? :)
     
  10. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,928
    Location:
    U.S.A.
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Does that form actually accept specials? One can't tell from the screen cap.
     
  12. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    8,634
    Location:
    NSW, Australia
    Does anyone think 14.14 million trillion centuries is too short a time? I don't but you can use a longer password if you do.
     
  13. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    I still don't see this option in my hotmail account...
     
  14. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America

    No no, the "security guru" comment wasn't aimed at you :) The author of the article you linked said that about himself. As it stands right now, there won't be any life left on Earth by the time anyone can crack that 16 character strong password I gave an example of up there. Not with any tech that exists now.

    You're not following a wrong path at all. Given a very strong, random 20 character length password or a 16, the 20 will be stronger, but I'm saying it's overkill for the tech of today.

    We should indeed try our best. Some things, like server side security is out of our hands. But we still have the capability of trying to make the job harder for bad guys.
     
  15. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    they could make up that 16 characters password more secure if we could add empty spaces in the password.

    just wondering why this has not been implemented already.

    not a big deal really though...
     
  16. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    Outlook.com accepted special characters before this change, so I see no reason for that to cease.
     
  17. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America

    I'll be up front and say I have no idea how empty spaces would affect anything. I imagine if such a measure became widespread it would be taken into account by hackers. I think though, before we worry about the safety of passwords on our end, we should worry whether servers are storing them in plain text. Length and randomness won't matter much if hackers break into the server and see every password sitting there wide open.
     
  18. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    8,634
    Location:
    NSW, Australia
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    16 characters is plenty. More than enough, even with a weak password. 16 a's is 14.42 years at 100 trillion guesses per second. Simply turning one of those a's into a capital A turns it into 9.27 thousand centuries. Bruteforcing simply isn't an issue - not now, and very likely not for another few decades.

    What you should be asking is *why* they limit it to 16. If they're hashing it should make no difference. Are they storing your passwords somewhere insecurely? It's a legitimate concern - oftentimes policies like this are in place and it's indicative of improper password storage.

    It's possible they're doing it to prevent users unintentionally locking themselves out (LastPass limits PBKDF2 rounds for this reason) but they should make a statement.
     
  20. guest

    guest Guest

    Ah well, sorry for my misunderstanding then. My gawd that what happens if I took too much coffee in a day. :D

    Yep, just like a HIPS might be overkill for one but a must have for someone else I guess. :)
     
  21. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    I admit that longer passwords may just make me "feel" better. It's like MP3/AAC (at a good bitrate) vs. a lossless codec like FLAC; I may not be able to detect the difference in a blind test, but I feel better about FLAC because I know for sure that nothing is lost to compression.

    However, it seems odd that a company as big as Microsoft would limit you to 16, when most sites allow 20 or more.

    Oh well. At least they're not Netflix, with its 10-character limitation.
     
  22. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    8,634
    Location:
    NSW, Australia
    Even 10 characters has a 19.24 million centuries time with an Online Attack Scenario.
     
  23. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    yeah.

    i think i should be ok with that. lol :p
     
  24. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    More than 16 characters would be nice. But it's workable. I use 20 with LastPass (with 2 factor authentication.)

    One other nice thing about Outlook.com is how they make use of alias email addresses. Aliases can't be used to log into an account. It's tough to hack an email address that is not the user name of the account. As long as MS doesn't get social engineered into giving account access, it seems like a safer approach
     
  25. WhereRYou

    WhereRYou Registered Member

    Joined:
    Jan 8, 2013
    Posts:
    7
    Location:
    USA
    Just don't use automated strength checkers to assess the quality of human generated passwords, the information they provide is virtually worthless. Automated strength checkers assume a "straight" brute-force attack, which is only used as a last resort by crackers. Automated tools or someone offering an opinion as to how many characters you should use, have no ability to know what types of attacks will be performed, the size and quality of an attacker's “word” lists, what rules they'll apply to these lists, or how fast an attacker can process guesses.

    If you're using an automated tool to estimate the strength of a random string password produced by a quality pseudo random number generator, carry on. :)
     
Loading...
Thread Status:
Not open for further replies.