On Thursday, Sophos identified a red flag regarding Outlook, Microsoft’s new Web-based email service. Apparently Outlook limits passwords to 16 digits, while Yahoo permits up to 32 and Gmail appears to allow up to 200.
“It’s a shame to see the new Outlook.com miss an opportunity to encourage the use of longer passwords. Anything which encourages users to choose hard-to-crack, hard-to-guess, unique passwords is good in my book,” wrote Sophos analyst Graham Cluley.
Of course, he also noted that longer passwords aren’t necessarily better from length alone—you still have to strengthen your password with a mix in symbols and letters.
Another question Cluley raised is whether or not Microsoft salts and hashes passwords to make them virtually impossible to crack. If you’re rolling your eyes, let’s not forget how, a couple months ago, it was revealed through the LinkedIn breach that the company had stored passwords with weak SHA-1 hashing and no salt.
“Most Passwords Are Stolen, Not Cracked”
But although longer passwords are helpful, another security expert noted that most password dumps occur because passwords are stolen rather than cracked by brute-force attacks.
Companies falling under this camp within the past 12 months include Dropbox, Yahoo, LinkedIn, and Sony. According to reports, the initial database breach occurred due to negligent employee behavior (like using an admin password for everything).
“Whether or not a password is 16 or 200 characters long isn’t the right focus since passwords are mainly stolen, not brute-forced,” said Nicolas Caproni, a cybersecurity expert in France (@
Rather than numbers, Caproni said online services should check for password strength with a mix of numbers, symbols, capital- and lower-case letters. They also need to encrypt users’ passwords on their servers otherwise “strength and length are useless.”
Caproni told me that in LinkedIn’s case, only 0.08 percent of exposed passwords had 16 characters and 0 percent had more. Earlier this month, meanwhile, Qualys researcher Francois Pesche plotted the 400,000 leaked Yahoo passwords on a heat map, and found some surprising patterns that might rattle your false belief that your 32-character password is really safe.
Yesterday, while reporting the Dropbox breach, my colleague Fahmida Rashid made a bold suggestion for how companies can prevent employees from reusing passwords.
Copyright © 2010 Ziff Davis Publishing Holdings Inc