For years, Microsoft  have quietly limited Hotmail passwords to 16 characters, a revelation that has shocked some users who have entered long passwords more than 16 digits to access accounts.

Costin Raiu, the director of the global research and analysis team at antivirus firm,Kaspersky Lab reported that he  received a new error message when he entered the same 30-character passcode he long used on the Microsoft site.

” My previous password has been around 30 chars in size and now, it doesn’t work anymore. However, I could login by typing just the first 16 chars.” he added.Strange thing is that he  was able to login by cutting the password to 16 chars.

This sort of thing is not found on other mail providers such as Gmail,which reportedly permits passwords as long as 200 characters or even Yahoo Mail, which allows 32-character passwords.

Earlier this year, about 6.5 million LinkedIn account password hashes were published by hackers. The hashes were simple SHA1 digests computed from the user’s passwords, as stored into the LinkedIn backend infrastructure.

It didn’t take long for hackers to start cracking them, with over half of them cracked in almost no time.

There are two possible reasons for a fast cracking :

* the usage of the SHA1 function itself
* fast GPUs

The SHA1 function was mainly designed to replace the weaker function MD5. It was created to be fast, and indeed it is. On an AMD / ATI 7970 graphic card, “hashcat” (see https://hashcat.net/oclhashcat-plus/) calculates a bit over two billion SHA1 hashes per second. This means a lot of combinations can be tested in a very short time.

To overcome this “problem”, modern and more secure algorithms exist, such as the sha512crypt function used in Ubuntu and recent versions of Fedora Core Linux. Instead of 2 billion hashes per second, the same GPU card cracks only a bit over 12,000 sha512crypt combinations per second. For instance, checking one billion sha512crypt combinations takes about 24 hours; but less than 1 second for SHA1.

Because of today’s fast GPUs, one good advice when it comes to security is to choose a complex password,which may contains:

* includes both uppercase and lowercase chars
* includes at least one space character
* includes numbers
* includes several symbols such as !@#
* it is not based on a known word
* it’s at least 12 chars in size, but the longer the better

Many of the people uses passwords that are between 20 and 50 chars in size. This is a good practice because it makes sure that even  password hash is leaked, nobody will crack it.

Via [Costin Raiu ]