Hacker News new | past | comments | ask | show | jobs | submit login
Microsoft doesn't allow passwords greater than 16 characters in length (plus.google.com)
54 points by wedtm on Aug 15, 2012 | hide | past | web | favorite | 38 comments

Headline is inaccurate. Seems to only be a restriction on live accounts, not windows 8. If you use a non-live account to log in, there isn't this restriction. I just changed mine to a 24 character password with no issues, but I'm using a domain account.

That said, major portions of what's new Windows 8 require a windows live account to use (the app store, most of the metro apps, etc).

It seems to me like a lot of ostensibly technically-literate people are installing Windows 8 and not realizing that it's asking them to create a Live account instead of a Windows account. Is the option to create a normal account difficult to find or something?

Like others have said it is pretty central. With that said, it isn't very difficult to create a local account. I believe there is a button which takes you to a non-live account set up page, though there is an "are you sure? live accounts will really make your experience better blablabla etc." screen which you need to also click a button on.

So it's a 2 step flow.

There's a link right under the live account login/creation "Create a non-Microsoft account". It's on the same account creation screen.

I think it's more that the live account creation is front and center during the install process. It's pretty integral to the functionality of Windows 8 as well. While my login is my domain login, I use my live account for much of the Win8 functionality.

The thing I hate is when people make excuses for it. Especially when those people purport to represent the company that made the mistake:

> Besides, 16 character long password can have 2.8 nonillion possible combinations. You are more likely to reuse your passwords and got owned through that than password brute forcing.

That's a terrible excuse for a 16-character limit. Just admit it was a bad decision (probably made a long time ago) and move on.

I had a short email conversation with someone on the Live team. His stance was pretty much what you said: Somewhere, someone screwed up, and now it's sorta ingrained, and since 16 characters allows decent passwords, it's not a high priority to fix.

The stupid part is this[1]: Passwords cannot contain spaces or "non-English" characters.

1: http://help.outlook.com/en-gb/140/cc540536.aspx

Edit: The double stupid here is the fact that non-ASCII is referred to as "non-English". I'm pretty sure e.g. résumé is a correct English spelling.

I find it particularly insulting when a web application tells me my family name has "invalid" characters.

When asked to say the letters of the English alphabet, I have never heard someone include é.


When asked to say the letters of the English alphabet, I have never heard someone include space.

I've never heard anyone mention all lower case and upper case "letters", either, but I assume both versions are acceptable characters in a password. And I bet numbers are valid too. So... what is your point? (besides being funny, in which you succeeded)

Well, the password guidelines specifically say " The password can contain uppercase letters and lowercase letters. The password can contain numbers." So no ambiguity there.

They are quite clear about what characters are permitted in the password. The not permitted list is redundant, but sometimes repetition is helpful. The argument that Microsoft has somehow incorrectly identified é as "non-English" is bullshit.


Alphabet != characters

I'm not sure that helps. So an English character is any character that can appear in an English sentence? Are the Chinese words mixed in the Firefly English characters, too then? What makes a Chinese loan word different from a French loan word?

This seems a remarkably, stupidly pedantic point. Would Microsoft have created less overall user confusion by using the term non-ASCII and making all the nontechnical users look up what that means?

I don't like the fact that it broke all my KeePass passwords...

> Especially when those people purport to represent the company that made the mistake

The comment you're quoting specifically asserts that it does not represent the company:

> (I work at Microsoft) but my opinion does not represent that of my company.

For the record, I also work for Microsoft, and my comments also do not represent the company.

Is a Microsoft Live account needed to use Windows 8? If so, that's a far bigger WTF than a 16-char password.

No, it isn't required, but they encourage it.

It's the trend started by Android and then followed by iOS and also begun on OSX. It's not quite required but you're pretty much going to want a cloud account.

If I remember correctly, most of Modern UI apps won't be accessible without a Microsoft account.

Well you can't get into the store without a Live account, and Modern UI apps can't be installed from outside the store.

You can sideload them.

Apps that require Live services require a Live account I imagine, but nothing else seems to have.

(for users with Microsoft Accounts)

Granted, that'll probably be the majority. Anyone know if non-MS accounts have this limitation?

EDIT: Nope, see http://news.ycombinator.com/item?id=4389204

"16 characters ought to be enough for anybody."

Does this mean Microsoft stores the plain text of Live passwords instead of hashes?

Some programmer decided to filter characters and limit the length of a string. Honestly, it's reasonable. I know it's not the point but 16 ASCII chars can be used to create a secure windows password.

And people with passwords bigger than 16 chars are a corner case. HN has had top stories telling programmers not to care about corner cases or to assign a very low priority to them.

In my opinion: "Nothing to see here, move along".

The passwords should be salted and then hashed. The hash produces the same length output no matter how long the input. Consequently length limitations are either UI/protocol limitations, or because salting and hashing is extremely poorly done. My money is on the latter.

I know. But yes I was thinking that the password still has to go through UIs (Web & Native), be sent over the network and read by the server and only than can it be hashed and compared to the stored hash.

I agree it sounds weird especially since I guess everything is done on top of .NET and JS. Neither of which is likely to suffer from buffer overflows nor would whatever protocols they use have problems transporting large strings with non-ASCII chars. And I don't any other technical problems that might cause.

But there has to be a reason. I guess it's possible someone was overzealous or screwed up. Maybe it was because it would be too hard to type it on an Xbox? Doesn't sound very plausible though.

I doubt that MS is doing password hashing wrong - it's not hard to begin with and they probably learned their lesson from the NT days when they implemented p.hashing poorly and it led to the NT passwords being easy to brute force.

> I doubt that MS is doing password hashing wrong

They have a long and storied history of doing just that. You can get a flavour from http://en.wikipedia.org/wiki/NTLM

Their hashing is most likely something defined to produce two parts from two 8 character chunks.

> HN has had top stories telling programmers not to care about corner cases or to assign a very low priority to them.

That's because HN focuses on startups. Startups have extremely little time, money and resources. Microsoft has over 94,000 headcount.

Microsoft has extremely different expectations from startups. In fact, knowing just about anything about Microsoft's decades of history, you'd know just how much attention they pay to corner cases when it comes to backwards compatibility.

Another example: do startups spend much time preparing support for 50 different languages, including RTL, before a product release? Should Microsoft?

Advice you see on HN doesn't represent anything more than the current hip advice for startups. Certainly not how a multibillion dollar international corporation should design products.

Good point.

But Apple is a multibillion dollar international corporation (more billions than MS) and they still famously cut corner cases.

If you go into every corner case, you'll never ship and I don't really think it's that practical/easy to keep adding people to a project to fix every corner case.

There's been more than one situation in which they ignored more than just corner cases in backwards compatibility: Windows Mobile -> WP7 -> WP8 and Internet Explorer come to mind. I don't know many examples but that might be because the only MS product I've actually owned in recent times was an XBox 360 (which went RRoD 2 yrs ago).

Also strictly speaking this isn't about backward compatibility, from the comments I've read here, you can still have the same windows password you had before. The password restrictions only apply to their online service (Live account or whatever they are calling it).

It sounds like an improvement on Microsoft's standard NTLM encryption, which supports only up to 14 characters

Is everyone else seeing banner ads in the Metro apps included with Windows 8 RTM?

Is this the XBox dashboard experience brought to the desktop? That's pretty weak.

Allow me to be the first to say, "WTF?"

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact