Major upgrade to your Microsoft account

Microsoft Account Gets More Secure
The Official Microsoft Blog - 17 Apr 2013 - Posted by Eric Doerr,
Group Program Manager, Microsoft account

...including Optional two-step verification

 

Glad to hear that late upgrade.

But when will they allow long passwords? It's also important.

 

Not really, 16 is plenty for just about everything save encrypting a hard drive or extraordinarily sensitive applications (like, national security sensitive). You're not, for example, going to break a password like Ji$!sHUd3$ReT@Lo even with automated GPU cracking yet.

 

Today, maybe yes. But what about tomorrow?

Besides, GMail allows us to set the password as long as we want (or at least more than 16), so I don't get the point of this limitation. Is it a sin to have a long password?

 

Of course it isn't a sin. But it's not like you're woefully insecure using a 16 character password either, unless you're using something indescribably stupid like Kittycat12345678. What about tomorrow? For all you know, tomorrow 40 character length passes will be as easy as breaking Kittycat12345678. "Tomorrow" passwords should be relegated to the nostalgia bin of the early Web. "Tomorrow" we may be going full on "Matrix". Or, we could be using passwords still 20 years from now. When 16 character length passwords that are strong are said to no longer be safe, then worry about it. The tech available now just isn't going to break it in any length of time deemed reasonable enough to try.

P.S, Google serves ads in Gmail by auto-reading your emails, so you have that real strong password so no one can break in, yet it's already compromised technically. There's that to consider.

 

That's what I meant tomorrow.

Well yeah, such simple password would make you suffer. I'm talking about a good quality password, so in theory:

23 characters good pass > 16 characters good pass

Dunno if this is relevant, but according to him, the longer the better.

I've been dealing with people that are far more evil than Google, so I'm not too worried about that. =V

 

GrafZeppelin,

"Today" it would take an Online Attack Scenario 14.14 million trillion centuries to run through all the combinations of a 16 character password.

 

As he said, he's no security guru. That doesn't make him wrong, 16 is much better than 8 characters. But the key is length and randomness. I can still make a "good" 20 character length pass that is far easier to crack than a completely random, special character and numbers included 16 character pass. Length only gets you so far. Plus, there's the issue of how your pass is stored on the other end. No Salt/Hash=goodbye account no matter how good your pass is. Some of this is out of our control.

So yeah, in theory the longer and more random, the better. In practice there's a lot more to consider.

 

I never said that, though I'll admit it's true.

Okay, it seems that I'm saying it wrong. If they share the same complexity, then wouldn't 20 is better than 16? Or am I just following the wrong path all this time?

Indeed, but we should try our best, right?

 

Does that form actually accept specials? One can't tell from the screen cap.

 

Does anyone think 14.14 million trillion centuries is too short a time? I don't but you can use a longer password if you do.

 

I still don't see this option in my hotmail account...

 

No no, the "security guru" comment wasn't aimed at you The author of the article you linked said that about himself. As it stands right now, there won't be any life left on Earth by the time anyone can crack that 16 character strong password I gave an example of up there. Not with any tech that exists now.

You're not following a wrong path at all. Given a very strong, random 20 character length password or a 16, the 20 will be stronger, but I'm saying it's overkill for the tech of today.

We should indeed try our best. Some things, like server side security is out of our hands. But we still have the capability of trying to make the job harder for bad guys.

 

they could make up that 16 characters password more secure if we could add empty spaces in the password.

just wondering why this has not been implemented already.

not a big deal really though...

 

Outlook.com accepted special characters before this change, so I see no reason for that to cease.

 

I'll be up front and say I have no idea how empty spaces would affect anything. I imagine if such a measure became widespread it would be taken into account by hackers. I think though, before we worry about the safety of passwords on our end, we should worry whether servers are storing them in plain text. Length and randomness won't matter much if hackers break into the server and see every password sitting there wide open.

 

moontan,

See https://www.grc.com/haystack.htm

 

16 characters is plenty. More than enough, even with a weak password. 16 a's is 14.42 years at 100 trillion guesses per second. Simply turning one of those a's into a capital A turns it into 9.27 thousand centuries. Bruteforcing simply isn't an issue - not now, and very likely not for another few decades.

What you should be asking is *why* they limit it to 16. If they're hashing it should make no difference. Are they storing your passwords somewhere insecurely? It's a legitimate concern - oftentimes policies like this are in place and it's indicative of improper password storage.

It's possible they're doing it to prevent users unintentionally locking themselves out (LastPass limits PBKDF2 rounds for this reason) but they should make a statement.

 

Ah well, sorry for my misunderstanding then. My gawd that what happens if I took too much coffee in a day.

Yep, just like a HIPS might be overkill for one but a must have for someone else I guess.

 

I admit that longer passwords may just make me "feel" better. It's like MP3/AAC (at a good bitrate) vs. a lossless codec like FLAC; I may not be able to detect the difference in a blind test, but I feel better about FLAC because I know for sure that nothing is lost to compression.

However, it seems odd that a company as big as Microsoft would limit you to 16, when most sites allow 20 or more.

Oh well. At least they're not Netflix, with its 10-character limitation.

 

Even 10 characters has a 19.24 million centuries time with an Online Attack Scenario.

 

yeah.

i think i should be ok with that. lol

 

More than 16 characters would be nice. But it's workable. I use 20 with LastPass (with 2 factor authentication.)

One other nice thing about Outlook.com is how they make use of alias email addresses. Aliases can't be used to log into an account. It's tough to hack an email address that is not the user name of the account. As long as MS doesn't get social engineered into giving account access, it seems like a safer approach

 

Just don't use automated strength checkers to assess the quality of human generated passwords, the information they provide is virtually worthless. Automated strength checkers assume a "straight" brute-force attack, which is only used as a last resort by crackers. Automated tools or someone offering an opinion as to how many characters you should use, have no ability to know what types of attacks will be performed, the size and quality of an attacker's “word” lists, what rules they'll apply to these lists, or how fast an attacker can process guesses.

If you're using an automated tool to estimate the strength of a random string password produced by a quality pseudo random number generator, carry on.