For years, Microsoft engineers have quietly limited Hotmail passwords to 16 characters, a revelation that has surprised and concerned some users who have long entered passcodes twice that long to access accounts.

One such user is Costin Raiu, the director of the global research and analysis team at antivirus provider Kaspersky Lab. On Friday he reported receiving a new error message when he entered the same 30-character passcode he long used on the Microsoft site. When he typed in the first 16 characters, as the error message directed him to do, he was able to access his account just fine. The change concerned Raiu, because it meant that for years his Hotmail account hadn't been as secure as he was led to believe.

"To pull off this trick with older passwords, Microsoft has two choices," he wrote. Choice one: "Store full plaintext passwords in their [database]; compare the first 16 [characters] only." Choice two: "Calculate the hash only on the first 16; ignore the rest."

Storing millions of passwords as plaintext is among the biggest sins website administrators can commit. But Raiu wasn't pleased with the competing possibility, that "since its inception, Hotmail was silently using only the first 16 chars of the password." That would mean his passcode wasn't nearly as resistant to brute-force attacks as he had thought. "To be honest, I'm not sure which one is worse," he wrote.

The limitation is in stark contrast to those found on services such as Gmail, which reportedly permits passwords as long as 200 characters or even Yahoo Mail, which allows 32-character passwords.

Longer is better, but uniqueness is best

A Microsoft representative told Ars that "Sixteen characters has been the limit for years now" and downplayed concerns that the policy unnecessarily opens users to account breaches.

"Please note our research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways," she wrote in an e-mail. "However, while we agree that in general longer is better, we've found the vast majority of attacks are through phishing, malware infected machines, and the reuse of passwords on third-party sites—none of which are helped by very long passwords."

The spokeswomen declined to say why Microsoft passwords are required to be so much shorter than passphrases allowed by competing services. In a blog post from July, however, Eric Doerr, a Microsoft Group program manager for Microsoft accounts, suggested the limitation is the result of engineering decisions intended to make passwords compatible across multiple product lines.

"Password length—we are working on increasing this," he wrote in a comment accompanying the blog post. "Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it's a bigger change than it should be and takes longer to get to market."

The spokeswoman's response appears to indicate Microsoft engineers don't store passwords in plaintext, although the spokeswoman didn't address that issue despite Ars specifically asking about it. Assuming the passcodes are stored as one-way cryptographic hashes that are generated using the PBKDF2 key derivation function, the SHA512crypt, or another algorithm designed to securely hash passwords, Microsoft is mostly right in downplaying the consequences of the 16-character limitation. That's because despite the growing sophistication of password cracking, brute-force attackers hit an "exponential wall," when trying to cycle through every possible password greater than about eight characters.

Even when attackers use super-charged computing resources from Amazon's cloud-based services, a unique, randomly generated password of more than eight characters takes on average more than 10 days to guess. Each additional character that is used adds an order of magnitude more time to the process.

False sense of security

The biggest problem with the limitation is that Microsoft has silently enforced the policy. That means users like Raiu believed as many as 30 characters were required to access an account when in fact significantly fewer were needed. Depending on the password, this secret policy might have made accounts less secure than calculated. Imagine, for instance, if a user picked "secretpasswordtomaleedisonomega" as the passcode to login to Hotmail. The chances of it falling prey to a cracking attack are significantly more remote than "secretpasswordto," the text string that contains the first 16 characters of the intended password. By concealing the 16-character maximum for all these years, Microsoft may have given users a false sense of security.

In his July post, Microsoft's Doerr said the company is in the process of moving beyond the use of mere passwords to grant users entry to their sensitive account data. Both the Xbox.com domain and its SkyDrive file hosting service, for example, require two-factor authentication to carry out many activities.

"We are learning a lot from this and have more in the works," he wrote. "We see two-factor auth as being an increasingly important piece of our protection suite."