Hotmail called out for sly password gaffe

Hotmail has been criticised by a Kaspersky researcher for allowing long passwords to be accessed with the first 16 characters.

Redmond had installed password size limitations for years, but the fact that long passwords were reduced under the radar of account holders appeared to have escaped public notice.

Kaspersky researcher Costin Raiu detailed the risk after he discovered his 30-plus character password was accessible by entering about half of its digits.

Raiu said in a blog post titled “your password was too long, so we fixed it for you” that the change meant his account remained less secure for years.

He said he was shocked when he was prompted to enter only part of his password to gain access.

A reader pointed to a Windows blog in which Microsoft accounts manager Eric Doerr said Redmond’s decision appeared to be due to product compatibility.

He said the company was “working” on password length and noted that for “historical reasons, the password validation logic is decentralised across different products, so it's a bigger change than it should be and takes longer to get to market”.

He noted most attacks were due to phishing which mitigates password security, not brute force attacks which rarely targeted complex passwords.

Microsoft did not explain when asked by Ars Technica why allowable password lengths were shorter than those offered by Gmail and Yahoo! Mail.

Sophos researcher Graham Cluely pointed out in a blog last month on Hotmail’s password limitation that Yahoo allowed passwords up to 32 characters and Google up to a whopping 200 characters.

Copyright © SC Magazine, Australia