login.live.com security nonsense

[drazen11]

:angry:

[LittleNeutrino Veteran]

my guess would be a database restriction for size prosperity.

[azspeedbullet]

i remember this problem during the early win7 stages..looks like microsoft cant fix this

[C:Amie]

16 characters = 128-bits of storage

What is more worrying here is the fact that if Microsoft can accept only part of your original password as the security authenticator, it means that Microsoft are not using one way hashing on your passwords.

That means that when someone gets hold of the database (again) they will have your password in plain text.

Nice to see that Microsoft has learn some simple security lessons after the last time they lost parts of the the hotmail password database...

Disgraceful. It is completely unacceptable in this day and age.

[Anthonyd]

16 characters = 128-bits of storage

What is more worrying here is the fact that if Microsoft can accept only part of your original password as the security authenticator, it means that Microsoft are not using one way hashing on your passwords.

That means that when someone gets hold of the database (again) they will have your password in plain text.

Nice to see that Microsoft has learn some simple security lessons after the last time they lost parts of the the hotmail password database...

Disgraceful. It is completely unacceptable in this day and age.

They never lost hotmail database, you read it wrong :/

[primexx]

16 char limit is bad, broadcasting it to the public is worse. =(

I guess it's better than my school's which only uses the first 8 characters... -.-

16 characters = 128-bits of storage

What is more worrying here is the fact that if Microsoft can accept only part of your original password as the security authenticator, it means that Microsoft are not using one way hashing on your passwords.

That means that when someone gets hold of the database (again) they will have your password in plain text.

Nice to see that Microsoft has learn some simple security lessons after the last time they lost parts of the the hotmail password database...

Disgraceful. It is completely unacceptable in this day and age.

what?

1. POST really long password

2. substring 0,16

3. one way hash

4. ???

5. PROFIT!

[sagum]

what?

1. POST really long password

2. substring 0,16

3. one way hash

4. ???

5. PROFIT!

When you first created a password that was say 18 char long, and for the simple example here we find the md5 hash of the password.

your original password you entered was "q1w2e3r4t5y6u7i8o9". A hash would be stored as 97e42e9299856c82b96ed8124d987bc6.

when you come to login, your password isn't checked aganst the hash they've stored. but rather the hash of the password you've used to try and login with is checked aganst the one they have on record.

so if you were to try and login with q1w2e3r4t5y6u7i8o9, they'd create the md5 hash of 97e42e9299856c82b96ed8124d987bc6 and check their records to see if it matched 97e42e9299856c82b96ed8124d987bc6. it does and lets you in.

Now. when they limit your password to 16 char, you can only enter q1w2e3r4t5y6u7i8. The hash for that is 0a727a149e06c772f47d5e02bff16a0c and does not match 97e42e9299856c82b96ed8124d987bc what they had on record before (18 char long).

Of course, we can reverse md5 as its not a one way hash, but if we were to use a one way hash there wouldn't be anyway for Microsoft or anyone else to check if the 16 char limit was the same as existing 18 char password hashs.

[Xerax]

16 characters = 128-bits of storage

What is more worrying here is the fact that if Microsoft can accept only part of your original password as the security authenticator, it means that Microsoft are not using one way hashing on your passwords.

That means that when someone gets hold of the database (again) they will have your password in plain text.

Nice to see that Microsoft has learn some simple security lessons after the last time they lost parts of the the hotmail password database...

Disgraceful. It is completely unacceptable in this day and age.

Or they only ever hashed the first 16 chars.

[HawkMan]

or they havetwo password databases one, that outsides can'trech, that only communicates one way,it only receives plain text, but can send the hashes to the login services.

or they used to store them plain text in a secure fashion, and now they don't. and with that new security they also got a 16 char limit.

[redfish]

:angry:

What a lovely photograph of a neon green laptop with bottles of fruit nectar and a box of limes behind it. wtf

[primexx]

When you first created a password that was say 18 char long, and for the simple example here we find the md5 hash of the password.

your original password you entered was "q1w2e3r4t5y6u7i8o9". A hash would be stored as 97e42e9299856c82b96ed8124d987bc6.

when you come to login, your password isn't checked aganst the hash they've stored. but rather the hash of the password you've used to try and login with is checked aganst the one they have on record.

so if you were to try and login with q1w2e3r4t5y6u7i8o9, they'd create the md5 hash of 97e42e9299856c82b96ed8124d987bc6 and check their records to see if it matched 97e42e9299856c82b96ed8124d987bc6. it does and lets you in.

Now. when they limit your password to 16 char, you can only enter q1w2e3r4t5y6u7i8. The hash for that is 0a727a149e06c772f47d5e02bff16a0c and does not match 97e42e9299856c82b96ed8124d987bc what they had on record before (18 char long).

Of course, we can reverse md5 as its not a one way hash, but if we were to use a one way hash there wouldn't be anyway for Microsoft or anyone else to check if the 16 char limit was the same as existing 18 char password hashs.

uh.. yea, that's why you substring it before hashing...

[n_K]

Trust me on this one guys, the system is secure.

I cannot comment as to why this change happened (not my area), but I can state that the system is secure.

'Secure' is a relative term, it's secure in that the people that can/will/have hacked it won't be causing anyone that anyone here knows any problems, nothing is unbreakable.

[C:Amie]

Or they only ever hashed the first 16 chars.

Hmm, yes potentially you could be right, good point. If that were the case they wouldn't "need" to tell you to drop anything > 16 characters as they could filter it themselves.

I wonder what prompted this normalisation exercise?

[The_Decryptor Veteran]

I've had issues with "Live" rejecting passwords for being too long for a while, there doesn't seem to be any consistent parsing done (GfWL rejects passwords the xbox and website accept, and my xbox can login with an old password)

[Calum Veteran]

16 characters = 128-bits of storage

What is more worrying here is the fact that if Microsoft can accept only part of your original password as the security authenticator, it means that Microsoft are not using one way hashing on your passwords.

That means that when someone gets hold of the database (again) they will have your password in plain text.

Nice to see that Microsoft has learn some simple security lessons after the last time they lost parts of the the hotmail password database...

Disgraceful. It is completely unacceptable in this day and age.

Assuming isn't usually a good idea. You're assuming here?you don't know anything for sure. You could have suggested what might be the case, but instead you dangerously assumed and stated with unfounded certainty.

[Fourjays Veteran]

The big question though is have the passwords always been stored as 16 characters only? If they were, how can there possibly be a need to "enter only the first 16 characters" as surely you'd just limit it to 16 characters on sign-up? So at some point they've been longer, which means the passwords (at least at that point) were not one-way hashed, as they couldn't get the first 16 characters otherwise. In addition to this, we go back to why are they limiting the password length. The only reason I can think of is database storage (in plain text, a longer password takes up more space). If they are being hashed though they should come out the same length (at least the hashes I've had experience with do). So why impose an upper limit if they are being hashed?

So it is a pretty fair assumption to make that they have not been one-way hashing passwords IMO. I really hope I've misunderstood something as it would be pretty shocking for Microsoft to not be hashing passwords.

There should be no upper limits on password lengths anyway. I really don't get why a company with as much experience as Microsoft would impose one... it's a no-brainer really.

[The_Decryptor Veteran]

Maybe they were using MD5 :laugh:

[fenderMarky]

From Windows Team Blog (Eric Doerr)

"Password length - We are working on increasing this. Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it's a bigger change than it should be and takes longer to get to market. It's also worth noting that the vast majority of compromised accounts are through malware and phishing. The small fraction of brute force is primarily common passwords like "123456" not due to a lack of complexity."

[n_K]

When I heard 16 characters at first I thought they were using LM - XD!

Anyway, where did you work out 16 characters to be 128 bits of storange? They are world-wide so would probably be using UTF-{8,16,32}

If it's UTF-8 that'd be up to 32 bits per character, 32*16=512 bits of storage. Even if it was 16 bits per character, 16*16=256 bits.