Saturday, January 28, 2012 password idiocy

Back Story

I use Keepass to maintain all my passwords. Then, I have this password database stored in a USB key I carry with me.  I only have to remember one highly-entropic password (doesn’t mean it’s hard to remember, it just has to be hard to guess). So, I try to make my other passwords as complicated as possible.

Changing My Password on

Anyway, I went to change my password on live,com like I prefer to do on a semi-regular basis.  I got to their page and entered a new password.  I tried one that was 256 characters long, but I noticed that, with no warning at all, it truncated my password at 16 characters.
So, they have a minimum of 6 characters (which is on the page) and an apparent maximum of 16 characters.  So, I changed the options to generate a 16-character password with all sorts of variability in the characters used and I try again: (This time it was: “{jƒ/ýQîÔ·z4Ú«<[“)
Now, I get this lovely message:

What’s Missing?

Apparently, the powers that be at Microsoft ( aren’t going to bother telling me what characters are and are not allowed!  So, what?  I just sit here and guess for hours?
I was reminded of this great xkcd comic. This is not security!  It’s obscurity.  Making a person choose a password within 6-16 characters with a fixed subset of characters allowed just trims down the dataset that a computer needs to search while trying to crack the password. At the same time, requiring special characters (but not that special!) to be there in order to make it strong just makes it harder for humans to guess with the wonderful side effect of also making them nearly impossible to remember!
Well, I’m going to go keep trying passwords over and over again until I find one it will allow…ugh

1 comment:

  1. I use Microsoft Account to password protect my Windows 8 laptop, plus the other major thing it protects is my Azure account - two very important services for me. Yet, you can't have a password longer than 16 characters? It's crazy.