
Microsoft doesn't allow passwords greater than 16 characters in length - wedtm
https://plus.google.com/112580269831077516723/posts/ebBe1ZnciH4
======
jjcm
Headline is inaccurate. Seems to only be a restriction on live accounts, not
windows 8. If you use a non-live account to log in, there isn't this
restriction. I just changed mine to a 24 character password with no issues,
but I'm using a domain account.

That said, major portions of what's new Windows 8 require a windows live
account to use (the app store, most of the metro apps, etc).

~~~
Splognosticus
It seems to me like a lot of ostensibly technically-literate people are
installing Windows 8 and not realizing that it's asking them to create a Live
account instead of a Windows account. Is the option to create a normal account
difficult to find or something?

~~~
rlu
Like others have said it is pretty central. With that said, it isn't very
difficult to create a local account. I believe there is a button which takes
you to a non-live account set up page, though there is an "are you sure? live
accounts will really make your experience better blablabla etc." screen which
you need to also click a button on.

So it's a 2 step flow.

~~~
mc32
There's a link right under the live account login/creation "Create a non-
Microsoft account". It's on the same account creation screen.

------
codeka
The thing I hate is when people make excuses for it. Especially when those
people purport to represent the company that made the mistake:

> Besides, 16 character long password can have 2.8 nonillion possible
> combinations. You are more likely to reuse your passwords and got owned
> through that than password brute forcing.

That's a terrible excuse for a 16-character limit. Just admit it was a bad
decision (probably made a long time ago) and move on.

~~~
MichaelGG
I had a short email conversation with someone on the Live team. His stance was
pretty much what you said: Somewhere, someone screwed up, and now it's sorta
ingrained, and since 16 characters allows decent passwords, it's not a high
priority to fix.

The stupid part is this[1]: Passwords cannot contain spaces or "non-English"
characters.

1: <http://help.outlook.com/en-gb/140/cc540536.aspx>

Edit: The double stupid here is the fact that non-ASCII is referred to as
"non-English". I'm pretty sure e.g. résumé is a correct English spelling.

~~~
tedunangst
When asked to say the letters of the English alphabet, I have never heard
someone include é.

~~~
jfoutz
WellthatsfinethenImnotsurewhatelsewouldchangeyourmindaboutwhatcharactersshouldbeallowedintext

~~~
tedunangst
When asked to say the letters of the English alphabet, I have never heard
someone include space.

~~~
thebigshane
I've never heard anyone mention all lower case and upper case "letters",
either, but I assume both versions are acceptable characters in a password.
And I bet numbers are valid too. So... what is your point? (besides being
funny, in which you succeeded)

~~~
tedunangst
Well, the password guidelines specifically say " The password can contain
uppercase letters and lowercase letters. The password can contain numbers." So
no ambiguity there.

They are quite clear about what characters are permitted in the password. The
not permitted list is redundant, but sometimes repetition is helpful. The
argument that Microsoft has somehow incorrectly identified é as "non-English"
is bullshit.

------
vacri
Is a Microsoft Live account needed to use Windows 8? If so, that's a far
bigger WTF than a 16-char password.

~~~
wideroots
If I remember correctly, most of Modern UI apps won't be accessible without a
Microsoft account.

~~~
joenathan
Well you can't get into the store without a Live account, and Modern UI apps
can't be installed from outside the store.

~~~
illuminate
You can sideload them.

------
CrazedGeek
(for users with Microsoft Accounts)

Granted, that'll probably be the majority. Anyone know if non-MS accounts have
this limitation?

EDIT: Nope, see <http://news.ycombinator.com/item?id=4389204>

------
astangl
"16 characters ought to be enough for anybody."

------
adolph
Does this mean Microsoft stores the plain text of Live passwords instead of
hashes?

------
lrei
Some programmer decided to filter characters and limit the length of a string.
Honestly, it's reasonable. I know it's not the point but 16 ASCII chars can be
used to create a secure windows password.

And people with passwords bigger than 16 chars are a corner case. HN has had
top stories telling programmers not to care about corner cases or to assign a
very low priority to them.

In my opinion: "Nothing to see here, move along".

~~~
rogerbinns
The passwords should be salted and then hashed. The hash produces the same
length output no matter how long the input. Consequently length limitations
are either UI/protocol limitations, or because salting and hashing is
extremely poorly done. My money is on the latter.

~~~
lrei
I know. But yes I was thinking that the password still has to go through UIs
(Web & Native), be sent over the network and read by the server and only than
can it be hashed and compared to the stored hash.

I agree it sounds weird especially since I guess everything is done on top of
.NET and JS. Neither of which is likely to suffer from buffer overflows nor
would whatever protocols they use have problems transporting large strings
with non-ASCII chars. And I don't any other technical problems that might
cause.

But there has to be a reason. I guess it's possible someone was overzealous or
screwed up. Maybe it was because it would be too hard to type it on an Xbox?
Doesn't sound very plausible though.

I doubt that MS is doing password hashing wrong - it's not hard to begin with
and they probably learned their lesson from the NT days when they implemented
p.hashing poorly and it led to the NT passwords being easy to brute force.

~~~
rogerbinns
> I doubt that MS is doing password hashing wrong

They have a long and storied history of doing just that. You can get a flavour
from <http://en.wikipedia.org/wiki/NTLM>

Their hashing is most likely something defined to produce two parts from two 8
character chunks.

------
taylorbuley
It sounds like an improvement on Microsoft's standard NTLM encryption, which
supports only up to 14 characters

------
runjake
Is everyone else seeing banner ads in the Metro apps included with Windows 8
RTM?

~~~
astrodust
Is this the XBox dashboard experience brought to the desktop? That's pretty
weak.

------
revx
Allow me to be the first to say, "WTF?"

