Hotmail called out for sly password gaffe

By

Long passwords accessible via first 16 digits.

Hotmail has been criticised by a Kaspersky researcher for allowing long passwords to be accessed with the first 16 characters.

Hotmail called out for sly password gaffe

Redmond had installed password size limitations for years, but the fact that long passwords were reduced under the radar of account holders appeared to have escaped public notice.

Kaspersky researcher Costin Raiu detailed the risk after he discovered his 30-plus character password was accessible by entering about half of its digits.

Raiu said in a blog post titled “your password was too long, so we fixed it for you” that the change meant his account remained less secure for years.

He said he was shocked when he was prompted to enter only part of his password to gain access.

Credit: Kaspersky

A reader pointed to a Windows blog in which Microsoft accounts manager Eric Doerr said Redmond’s decision appeared to be due to product compatibility.

He said the company was “working” on password length and noted that for “historical reasons, the password validation logic is decentralised across different products, so it's a bigger change than it should be and takes longer to get to market”.

He noted most attacks were due to phishing which mitigates password security, not brute force attacks which rarely targeted complex passwords.

Microsoft did not explain when asked by Ars Technica why allowable password lengths were shorter than those offered by Gmail and Yahoo! Mail.

Sophos researcher Graham Cluely pointed out in a blog last month on Hotmail’s password limitation that Yahoo allowed passwords up to 32 characters and Google up to a whopping 200 characters.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Log In

  |  Forgot your password?