Passwords, unfortunately, still are the main authentication mechanism
on most Web sites, including all of the popular webmail services, such
as Hotmail, Gmail and Yahoo Mail. Many sites encourage users to pick
complex and long passwords, so it's surprising to see that Microsoft now
has limited Hotmail passwords to no more than 16 characters. Even more
surprising, however, is that Hotmail will accept the first 16 characters
of an existing, longer password, indicating that the company may have
been storing users' passwords in plaintext.
Microsoft officials
say that there has been a 16-character limit for Hotmail accounts for
some time. But security researchers who looked at the requirement found
it odd, to say the least. Sixteen characters is a somewhat arbitrary
limit, but the more interesting bit is why Microsoft chose to make the
change at all.
The real question, however, is what the implications of the change are. As Costin Raiu,
head of Kaspersky Lab's GReAT research team, wrote in an analysis of
the issue, one possibility is that Microsoft has been truncating longer
passwords to 16 characters all along and then hashing those first 16
characters. The other possibility is somewhat more troubling.
"My
previous password has been around 30 chars in size and now, it doesn’t
work anymore. However, I could login by typing just the first 16 chars,"
he wrote.
"To pull this trick with older passwords, Microsoft had two choices:
* store full plaintext passwords in their db; compare the first 16 chars only
* calculate the hash only on the first 16; ignore the rest
* calculate the hash only on the first 16; ignore the rest
Storing
plaintext passwords for online services is a definite no-no in
security. The other choice could mean that since its inception, Hotmail
was silently using only the first 16 chars of the password. To be
honest, I’m not sure which one is worse."
Microsoft officials did not respond to questions on this issue.
In
order to keep passwords safe from snooping, many Web sites run users'
plaintext passwords through a hash function, which obscures them.
Depending upon which hash function is being used, and what kind of
computers is used to do the cracking, the length of time needed to crack
a password hash can vary greatly.
"Please
note our research has shown uniqueness is more important than length and
(like all major account systems) we see criminals attempt to victimize
our customers in various ways; however, while we agree that in general
longer is better, we’ve found the vast majority of attacks are through
phishing, malware infected machines and the reuse of passwords on
third-party sites – none of which are helped by very long passwords," a
Microsoft spokesman said.
"Sixteen characters has been the limit
for years now. We will always prioritize the protection needs of users’
accounts and we will continue to monitor the new ways hijackers and
spammers attempt to compromise accounts, and we design innovative
features based on this. At this time, we encourage customers to
frequently reset their Microsoft account passwords and use unique
passwords that are different from other services."
Courtesy By Dennis Fisher
No comments:
Post a Comment