Fun with Passphrases!

Published: 2014-04-24
Last Updated: 2014-04-24 02:41:26 UTC
by Rob VandenBrink (Version: 1)
14 comment(s)

As systems administrators and security folks, we've all had our fill of our users and customers using simple passwords.  Most operating systems these days now enforce some level of password complexity by default, with options to "beef up" the password requirements for passwords.

The prevailing wisdom today is to use passphrases - demonstrated nicely by our bud at xkcd -

So I routinely have very long pass phrases for public facing accounts.  Imagine my surprise when I was creating a new account on major cloud service (the one that starts with an "O" and ends with a "365"), and found that I was limited to a 16 character password. 

Needless to say I have a case open to see if that limit can be removed.  I'm not looking for no limit / invitation to a buffer overflow status on the password field, but something bigger than 16 would really be appreciated !



14 comment(s)


Completely true if using a "standard" Office365 account. However, that limitation does not exist if you use an ADFS configuration. That may seem like splitting hairs, but it's an important distinction, especially when there are many small-to-medium-to-large orgs looking at shifting over to Office365.
I know of worse. I our country there's a ISP that still limits your password tot 8 characters and only letters and numbers. And this account is used for all the services they provide.
I agree that 16 chars is too little. Hits that once in a while with 1password generated passwords. Other sites complains that the passwords are obviously machine generated and rejects it.

Using the xkcd method, many passwords are hackable using oclhashcat. But bruteforcing all NTLM 8 lower chars+numbers is trivial, taking minutes. But luckily Microsoft is such a small company with no significant market presence, so they do not need to use salt, or use a good algorithm.
Nice findings

But does not explain why it is still limited.

Ahhh, but you missed something. Microsoft makes up for their 16-character password length limitation in Office 365 by also not allowing any type of two-factor authentication, like client certificates. That makes your business email and documents even easier to lose, errr, "use".
I've been down this road with Microsoft already, but it's good to see I'm not the only one with an open case. When my org migrated to O365, we learned that the password length is restricted to a minimum of 8 chars & maximum of 16 - and there's no way to change that. So, while 16 chars is bad, the fact that we can't enforce a _minimum_ of 16 is even worse. Of course, it's no worse than Windows' password requirements, with a minimum password length of no more than 14 characters (in Win2012, at least). Stupid, at best. Dangerous, at worst.
Don't believe this is limited to their cloud service. I ran into the issue when trying to use the Outlook client against my Gmail account.
Yep, same issue with credit card companies lack of complexity!

I visit a site that checks the "haystacks" and allows me to generate any length. Even with this one @ 16 QyM#rz[9'O<"IvO# returns this. On a 30 day rotational routine (yes a PITA, but breaches are worse) gives me some comfort. For those that wish to look up a decent article on wired, "kill the P@55W0rD" is a real eye opener and it dates back to 12-12.

But security, Admins even people with home systems hear complaints all the time.. I can't remember my PW, you create in DC too long and they lament. Feel like Gumby's arms.

WIth regards to cloud service.... heard of this? They will do it for you. Systems still running it.

Search Space Depth (Alphabet): 26+26+10+33 = 95
Search Space Length (Characters): 16 characters
Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length) 44,480,886,725,444,
Search Space Size (as a power of 10): 4.45 x 1031
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second) 14.14 million trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 1.41 hundred billion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 1.41 hundred million centuries
Some information about this issue is here: (Including a statement from Microsoft at the bottom)

It doesn't appear that they have any immediate intention of committing to a change which would allow for longer passwords.
And my library public login limits the password length to a 4 digit PIN.....
(I've changed the library site to a secure note in lastpass to "manage" my security score)

Diary Archives