Something struck me as a little funny yesterday when signing up for an Outlook.com account and my password was blocked for being too long. Outlook.com passwords are limited to 16 characters in length. Today, when I went to log into a Windows Live service, I got another message.
Microsoft account passwords can contain up to 16 characters. If you’ve been using a password that has more than 16 characters, enter the first 16.
It seems Microsoft has truncated passwords to 16 characters. My password was previously 20 characters and I was able to log in just fine up to last week. I cut the password down to 16 characters and was then able to login. One Microsoft forum moderator claims otherwise in a thread from the middle of July:
Your password has not been shortened. Windows Live ID passwords have always been limited to 16 characters. What has changed is the login page now gives you immediate feedback to ensure you understand your password is not more than 16 characters.
To avoid this error message, do not enter more than 16 characters.
We are working on increasing the maximum password length. Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it’s a bigger change than it should be and takes longer to get to market.
His answer seems to indicate that the change is more in the interface than with the data. I, however, wonder if the new password policy and emphasis on sign in pages is not a result of compatibility across devices and multiple services coming with Windows 8, Outlook.com, and other Microsoft products.
It seems that more account breaches have been happening as a result of entire database compromises lately than due to but even a longer password in a compromised database takes longer to crack and may prove not worth it for interested parties.
For now, it’s a matter of shortening my password length to 16 characters in my KeePass database.