This week a big news broke out. Web mail service Hotmail apparently cut passwords to 16 character of length for years, despite allowing users to enter unlimited number of characters. According to arstechnica.com this applies to all Microsoft online services, i.e. Passport authentication.

Now, this in itself is not a worry. Allowing 16 characters is plenty and secure enough to not allow a brute force attack. Even by using rainbow tables an attacker would be helpless. However, to implement a maximum 16 character password one would either have to implement this password policy from start up or one would have to store passwords in plain text. The first one is not a worry, however, the second one suggest plain text passwords, which are a no-no and something that even a HelloWorld programmer should never do. Ever!

Personally I use Hotmail services since 1998 and, to be honest, I never had any problems using it. So, I can make an assumption, that passwords were trimmed to 16 character length and then protected by whatever protection is used by Microsoft. Hence, the news is only of sensational value.