Headline is inaccurate. Seems to only be a restriction on live accounts, not windows 8. If you use a non-live account to log in, there isn't this restriction. I just changed mine to a 24 character password with no issues, but I'm using a domain account.
That said, major portions of what's new Windows 8 require a windows live account to use (the app store, most of the metro apps, etc).
It seems to me like a lot of ostensibly technically-literate people are installing Windows 8 and not realizing that it's asking them to create a Live account instead of a Windows account. Is the option to create a normal account difficult to find or something?
Like others have said it is pretty central. With that said, it isn't very difficult to create a local account. I believe there is a button which takes you to a non-live account set up page, though there is an "are you sure? live accounts will really make your experience better blablabla etc." screen which you need to also click a button on.
I think it's more that the live account creation is front and center during the install process. It's pretty integral to the functionality of Windows 8 as well. While my login is my domain login, I use my live account for much of the Win8 functionality.
The thing I hate is when people make excuses for it. Especially when those people purport to represent the company that made the mistake:
> Besides, 16 character long password can have 2.8 nonillion possible combinations. You are more likely to reuse your passwords and got owned through that than password brute forcing.
That's a terrible excuse for a 16-character limit. Just admit it was a bad decision (probably made a long time ago) and move on.
I had a short email conversation with someone on the Live team. His stance was pretty much what you said: Somewhere, someone screwed up, and now it's sorta ingrained, and since 16 characters allows decent passwords, it's not a high priority to fix.
The stupid part is this[1]: Passwords cannot contain spaces or "non-English" characters.
I've never heard anyone mention all lower case and upper case "letters", either, but I assume both versions are acceptable characters in a password. And I bet numbers are valid too. So... what is your point? (besides being funny, in which you succeeded)
Well, the password guidelines specifically say " The password can contain uppercase letters and lowercase letters. The password can contain numbers." So no ambiguity there.
They are quite clear about what characters are permitted in the password. The not permitted list is redundant, but sometimes repetition is helpful. The argument that Microsoft has somehow incorrectly identified é as "non-English" is bullshit.
I'm not sure that helps. So an English character is any character that can appear in an English sentence? Are the Chinese words mixed in the Firefly English characters, too then? What makes a Chinese loan word different from a French loan word?
This seems a remarkably, stupidly pedantic point. Would Microsoft have created less overall user confusion by using the term non-ASCII and making all the nontechnical users look up what that means?
It's the trend started by Android and then followed by iOS and also begun on OSX. It's not quite required but you're pretty much going to want a cloud account.
Some programmer decided to filter characters and limit the length of a string. Honestly, it's reasonable. I know it's not the point but 16 ASCII chars can be used to create a secure windows password.
And people with passwords bigger than 16 chars are a corner case. HN has had top stories telling programmers not to care about corner cases or to assign a very low priority to them.
The passwords should be salted and then hashed. The hash produces the same length output no matter how long the input. Consequently length limitations are either UI/protocol limitations, or because salting and hashing is extremely poorly done. My money is on the latter.
I know. But yes I was thinking that the password still has to go through UIs (Web & Native), be sent over the network and read by the server and only than can it be hashed and compared to the stored hash.
I agree it sounds weird especially since I guess everything is done on top of .NET and JS. Neither of which is likely to suffer from buffer overflows nor would whatever protocols they use have problems transporting large strings with non-ASCII chars. And I don't any other technical problems that might cause.
But there has to be a reason. I guess it's possible someone was overzealous or screwed up. Maybe it was because it would be too hard to type it on an Xbox? Doesn't sound very plausible though.
I doubt that MS is doing password hashing wrong - it's not hard to begin with and they probably learned their lesson from the NT days when they implemented p.hashing poorly and it led to the NT passwords being easy to brute force.
> HN has had top stories telling programmers not to care about corner cases or to assign a very low priority to them.
That's because HN focuses on startups. Startups have extremely little time, money and resources. Microsoft has over 94,000 headcount.
Microsoft has extremely different expectations from startups. In fact, knowing just about anything about Microsoft's decades of history, you'd know just how much attention they pay to corner cases when it comes to backwards compatibility.
Another example: do startups spend much time preparing support for 50 different languages, including RTL, before a product release? Should Microsoft?
Advice you see on HN doesn't represent anything more than the current hip advice for startups. Certainly not how a multibillion dollar international corporation should design products.
But Apple is a multibillion dollar international corporation (more billions than MS) and they still famously cut corner cases.
If you go into every corner case, you'll never ship and I don't really think it's that practical/easy to keep adding people to a project to fix every corner case.
There's been more than one situation in which they ignored more than just corner cases in backwards compatibility: Windows Mobile -> WP7 -> WP8 and Internet Explorer come to mind. I don't know many examples but that might be because the only MS product I've actually owned in recent times was an XBox 360 (which went RRoD 2 yrs ago).
Also strictly speaking this isn't about backward compatibility, from the comments I've read here, you can still have the same windows password you had before. The password restrictions only apply to their online service (Live account or whatever they are calling it).
That said, major portions of what's new Windows 8 require a windows live account to use (the app store, most of the metro apps, etc).