Strange Microsoft Live Password Policy

I was considering a test account Outlook.com today, just to give it a spin. So I started through the Microsoft Live signup process. It was going ok until I got to the password fields. I entered in one of my randomly generated 40 character passwords and was presented with this message:

Setting a maximum password length of 16 characters sets off a red flag for me. So I went looking for references to the Microsoft Live password policy. I eventually found one at http://help.outlook.com/en-gb/140/cc540536.aspx – here are the rules and restrictions (emphasis is mine):

Password rules

• The password can have a maximum length of 16 characters.
• The password is case-sensitive.
• The password can contain uppercase letters and lowercase letters.
• The password can contain numbers.
• The password can contain the following ASCII text characters: ` ~ ! @ # $ % ^ & * ( ) _ + – = { } | [ ] : ” ; ‘ < > ? , . /

Password restrictions
The password can’t contain any of the following items:

• Spaces
• Non-English characters
• The account name part of the email address. For example, if the email address is user@contoso.com, the password can’t contain user. This restriction isn’t case-sensitive. Therefore, USER or User can’t be used in the password for user@contoso.com.

This raises the concern that perhaps Microsoft Live is storing plain text copies of passwords instead of the hash of the password. It would be completely foolish of them to store the plain text version of passwords, with serious security implications, so I hope that isn’t the case.

But if they really are hashing the passwords, why set a maximum length of 16 characters (and no spaces)? I could understand not allowing for infinitely long passwords, after all even bcrypt only supports unique strings up to 72 characters, but 16 seems particularly small in todays world of password managers. Why not something more sensible like 50 or 60?

Sadly none of this is new, it has had plenty of attention from Ars Technica, The Next Web, and security.stackexchange.com. Most of them point back to a Microsoft blog post on ‘Keeping your Microsoft account more secure’. The only really useful bit in the context of 16 character password limits comes from a comment by Eric Doerr (the author of the post):

Password length – We are working on increasing this. Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it’s a bigger change than it should be and takes longer to get to market. It’s also worth noting that the vast majority of compromised accounts are through malware and phishing. The small fraction of brute force is primarily common passwords like “123456” not due to a lack of complexity.

Most of these posts seem to be missing the issue of what happens when/if their password database is compromised and copied by an intruder? Under that situation there is going to be a world of difference between people who use 8 character passwords and people who use 30 character passwords.

And when it comes to trying to sync password authentication against multiple types of systems it raises the concern of plain text passwords again. Even though Ars Technica asked about, Microsoft never really answered:

The spokeswoman’s response appears to indicate Microsoft engineers don’t store passwords in plaintext, although the spokeswoman didn’t address that issue despite Ars specifically asking about it.

Another method they might be using is regular encryption, instead of a hash. So when a password needs to be a synced out to another service they decrypt the password and then encrypt it again on the new service. That still isn’t as good as password hashing, but it would be better than storing the plain text version.

None of this fills me with warm fuzzies about how Microsoft Live is storing passwords.