Microsoft’s Outlook.com team took to Reddit to engage in an Ask Me Anything (AMA) session recently. One of the hotly debated topics was the reasoning behind the 16 character password limit Microsoft implement. Microsoft’s Outlook.com team still believes that malware and phishing techniques are the most common for compromising accounts. It also believes that the uniqueness, choice and arrangement of characters is generally more important than the password length.
“Please note our research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways; however, while we agree that in general longer is better, we’ve found the vast majority of attacks are through phishing, malware infected machines and the reuse of passwords on third-party sites – none of which are helped by very long passwords.”
Microsoft says that it will increase the character limit in the future and that this is something the Outlook.com team is currently working on but it did say that it will take quite some time due to the difficulty in centralising the password logic across different products.
“Sixteen characters has been the limit for years now. We will always prioritize the protection needs of users’ accounts and we will continue to monitor the new ways hijackers and spammers attempt to compromise accounts, and we design innovative features based on this. At this time, we encourage customers to frequently reset their Microsoft account passwords and use unique passwords that are different from other services…We are working on increasing the password length. Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it’s a bigger change than it should be and takes longer to get to market.”
Image courtesy of Microsoft